Analysis Overview
SHA256
ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5
Threat Level: Likely malicious
The file 81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Event Triggered Execution: Image File Execution Options Injection
Executes dropped EXE
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Checks computer location settings
Indicator Removal: File Deletion
Checks for any installed AV software in registry
Adds Run key to start application
Checks whether UAC is enabled
Indicator Removal: Clear Persistence
Enumerates connected drives
UPX packed file
Drops file in System32 directory
Drops autorun.inf file
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 05:29
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 05:29
Reported
2024-10-31 05:32
Platform
win7-20241023-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened (read-only) | \??\e: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: File Deletion
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | D:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | \??\E:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\com\bak | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\259439006.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\259439006.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
"c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
"C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | js.k0102.com | udp |
| DE | 185.53.179.173:80 | js.k0102.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| NL | 18.239.102.57:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | ifdnzact.com | udp |
| US | 208.91.196.46:80 | ifdnzact.com | tcp |
Files
memory/2312-0-0x0000000000400000-0x000000000042C000-memory.dmp
\Windows\SysWOW64\com\smss.exe
| MD5 | 2c5834f823066354d9e92396ecaca50d |
| SHA1 | 37647491c08aa2ec6d07cf805b0eabd978869f11 |
| SHA256 | b94c93730d8031b0391e6934f3da705bfca14080238c3070f032ff4cea6b1657 |
| SHA512 | ac3d1b1b7235e89bf5169822a250710ef61004cdaaf0e1c6c4d766dcf63223630ba81a613f0fed9b467f2c987735ec842eaef3ed53c67d3ff10563e26bc822b7 |
\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
| MD5 | 81c9f59d59f47adb56dcd644fe8ad3c2 |
| SHA1 | b531fd2e38e70b3f0affb73f127cb62a0fc32ca6 |
| SHA256 | ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5 |
| SHA512 | c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b |
memory/2312-15-0x0000000000400000-0x000000000042C000-memory.dmp
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~
| MD5 | 7b400627a528576c184a8e6ae2567cc0 |
| SHA1 | dcfa5e31be92429157c74be7e474907bbd75b102 |
| SHA256 | e31ee78f5c6144ded9f415475facf94575add9c806ec0cac8e2486ae04b82c1a |
| SHA512 | 5fdc94a4f4728de943e6b542305ffa6a891dcf5e80f167e9d70f0173b25311c401a122f47e286b151b02128a04073979a3cd6ccd09bdab51bcfd6915e7757d8a |
memory/2420-28-0x0000000002F40000-0x0000000002F6C000-memory.dmp
\Windows\SysWOW64\com\lsass.exe
| MD5 | dca33e599ab160c3a70099e428b28e6a |
| SHA1 | 9cc19e802cbceb384697ca83f8fc91b15df097a4 |
| SHA256 | 83ebe1a34e60f5ccbbbbd8d75e0d74e269e23355f50b8d677b0851e8eb0183fd |
| SHA512 | bd0d6dd9e5442d61e3576751d6f17ffb7109ff5092d8ac038a4090f443f80f9a20436dd5346e36889e97202436b07828552c1f651d77b24748d1d563117fcdb2 |
memory/2320-36-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2420-47-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1728-51-0x0000000000400000-0x000000000042C000-memory.dmp
C:\NetApi000.sys
| MD5 | 116b07e8887181880fad6c1145f8dc58 |
| SHA1 | e87acb06caa8fca981069e5cf5005cc9c74e5ce7 |
| SHA256 | 454c8307648871a7db0aa79cd2d3e671e1234dcb87f42c593fa841ae9e881cca |
| SHA512 | 8da5c36dbf296b91f46ebf1d64918a48a59cfe45dee0588f5cc40e6805bd13310ebee39b735a66b7165ac74deb99bcaa2f761eef8678a295eabd17f5437c1cc6 |
C:\Windows\SysWOW64\com\netcfg.000
| MD5 | f527f2633493d985fb77a348c8e9e723 |
| SHA1 | 83a3fbfa3eba9a435399707f7b83eda4b93d69ec |
| SHA256 | e2cd4430ae2646e6a9bb5206670623bc6c693da322c7402b5c08e1c1c1de7258 |
| SHA512 | d2dc84335a2fd1a72b583edfe4bfead2247bef4b116f3419f59441f69590c81a58e453f73a1d0b51c4754fc0dbdbb03490ab03fc865bd3dc825361e0a786aab0 |
\Windows\SysWOW64\dnsq.dll
| MD5 | 46e993717175142dcdffbdd53e30ca9d |
| SHA1 | f57d052deb71a4a44aeb9d1efa0d4a9d70f0538e |
| SHA256 | c53a1e2142e9d9019021298df808ad7d8378a9545274ef511151407853dd0fd3 |
| SHA512 | 4ea6228beaf4ba09e9908f844a4e7fb1b406e427ae5d5a96bc577d6fab56c4e8672ae40c6af7aa83d8611b3f23b6d2355dd7c69fbada61e716862be78e2d5b3b |
memory/2320-72-0x0000000010000000-0x0000000010018000-memory.dmp
memory/632-83-0x0000000010000000-0x0000000010010000-memory.dmp
memory/2320-95-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2044-100-0x0000000010000000-0x0000000010018000-memory.dmp
memory/2044-99-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/2320-104-0x0000000010000000-0x0000000010018000-memory.dmp
memory/2320-105-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2524-107-0x0000000010000000-0x0000000010018000-memory.dmp
memory/2320-109-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-112-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-115-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-118-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-121-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-124-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-127-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-130-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-133-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-136-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-139-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-147-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2320-150-0x0000000000400000-0x000000000042C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 05:29
Reported
2024-10-31 05:32
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\smss.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened (read-only) | \??\h: | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Indicator Removal: File Deletion
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | D:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | \??\E:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\AUTORUN.INF | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\bak | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\240628688.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\dnsq.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.000 | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\com\smss.exe | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\00302.log | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\lsass.exe | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File created | C:\Windows\SysWOW64\240628688.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\smss.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\com\lsass.exe | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| File created | C:\Windows\SysWOW64\00302.log | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\com\netcfg.dll | C:\Windows\SysWOW64\com\lsass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\com\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | \??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\com\lsass.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c9f59d59f47adb56dcd644fe8ad3c2_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
"c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~^|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~|c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe
"C:\Users\Admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe"
C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|C:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|D:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe^|E:\pagefile.pif"
C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\smss.exe C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.k0102.com | udp |
| DE | 185.53.179.173:80 | js.k0102.com | tcp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| NL | 18.239.102.95:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | ifdnzact.com | udp |
| US | 208.91.196.46:80 | ifdnzact.com | tcp |
| US | 8.8.8.8:53 | 173.179.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.102.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.196.91.208.in-addr.arpa | udp |
Files
memory/3536-0-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\SysWOW64\Com\smss.exe
| MD5 | 2c5834f823066354d9e92396ecaca50d |
| SHA1 | 37647491c08aa2ec6d07cf805b0eabd978869f11 |
| SHA256 | b94c93730d8031b0391e6934f3da705bfca14080238c3070f032ff4cea6b1657 |
| SHA512 | ac3d1b1b7235e89bf5169822a250710ef61004cdaaf0e1c6c4d766dcf63223630ba81a613f0fed9b467f2c987735ec842eaef3ed53c67d3ff10563e26bc822b7 |
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.exe.log
| MD5 | 81c9f59d59f47adb56dcd644fe8ad3c2 |
| SHA1 | b531fd2e38e70b3f0affb73f127cb62a0fc32ca6 |
| SHA256 | ec454237d6fe71ad3987df75978e44ae5bc4cb08687358a1f27a4b88c221e9a5 |
| SHA512 | c893784f3b08553665470d375647b2a50de9ca3b8bbdba039624589d393772cba4b1ae65710c9f319408edf3301c1e8577503511c26a38ae3ebb814db665a05b |
memory/3536-13-0x0000000000400000-0x000000000042C000-memory.dmp
\??\c:\users\admin\appdata\local\temp\81c9f59d59f47adb56dcd644fe8ad3c2_jaffacakes118.~
| MD5 | 7b400627a528576c184a8e6ae2567cc0 |
| SHA1 | dcfa5e31be92429157c74be7e474907bbd75b102 |
| SHA256 | e31ee78f5c6144ded9f415475facf94575add9c806ec0cac8e2486ae04b82c1a |
| SHA512 | 5fdc94a4f4728de943e6b542305ffa6a891dcf5e80f167e9d70f0173b25311c401a122f47e286b151b02128a04073979a3cd6ccd09bdab51bcfd6915e7757d8a |
memory/4860-28-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\SysWOW64\Com\lsass.exe
| MD5 | dca33e599ab160c3a70099e428b28e6a |
| SHA1 | 9cc19e802cbceb384697ca83f8fc91b15df097a4 |
| SHA256 | 83ebe1a34e60f5ccbbbbd8d75e0d74e269e23355f50b8d677b0851e8eb0183fd |
| SHA512 | bd0d6dd9e5442d61e3576751d6f17ffb7109ff5092d8ac038a4090f443f80f9a20436dd5346e36889e97202436b07828552c1f651d77b24748d1d563117fcdb2 |
memory/1648-32-0x0000000000400000-0x000000000042C000-memory.dmp
C:\NetApi000.sys
| MD5 | 116b07e8887181880fad6c1145f8dc58 |
| SHA1 | e87acb06caa8fca981069e5cf5005cc9c74e5ce7 |
| SHA256 | 454c8307648871a7db0aa79cd2d3e671e1234dcb87f42c593fa841ae9e881cca |
| SHA512 | 8da5c36dbf296b91f46ebf1d64918a48a59cfe45dee0588f5cc40e6805bd13310ebee39b735a66b7165ac74deb99bcaa2f761eef8678a295eabd17f5437c1cc6 |
memory/1172-37-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Windows\SysWOW64\Com\netcfg.000
| MD5 | f527f2633493d985fb77a348c8e9e723 |
| SHA1 | 83a3fbfa3eba9a435399707f7b83eda4b93d69ec |
| SHA256 | e2cd4430ae2646e6a9bb5206670623bc6c693da322c7402b5c08e1c1c1de7258 |
| SHA512 | d2dc84335a2fd1a72b583edfe4bfead2247bef4b116f3419f59441f69590c81a58e453f73a1d0b51c4754fc0dbdbb03490ab03fc865bd3dc825361e0a786aab0 |
memory/4860-55-0x0000000010000000-0x0000000010018000-memory.dmp
C:\Windows\SysWOW64\dnsq.dll
| MD5 | 46e993717175142dcdffbdd53e30ca9d |
| SHA1 | f57d052deb71a4a44aeb9d1efa0d4a9d70f0538e |
| SHA256 | c53a1e2142e9d9019021298df808ad7d8378a9545274ef511151407853dd0fd3 |
| SHA512 | 4ea6228beaf4ba09e9908f844a4e7fb1b406e427ae5d5a96bc577d6fab56c4e8672ae40c6af7aa83d8611b3f23b6d2355dd7c69fbada61e716862be78e2d5b3b |
memory/736-64-0x0000000010000000-0x0000000010010000-memory.dmp
memory/2912-66-0x0000000010000000-0x0000000010018000-memory.dmp
memory/2912-73-0x0000000000400000-0x00000000004B0000-memory.dmp
memory/2912-74-0x0000000010000000-0x0000000010018000-memory.dmp
memory/4860-75-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-80-0x0000000010000000-0x0000000010018000-memory.dmp
memory/4860-81-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2464-83-0x0000000010000000-0x0000000010018000-memory.dmp
memory/4860-85-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-88-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-91-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-94-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-97-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-100-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-103-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-106-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-109-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-112-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-115-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4860-122-0x0000000000400000-0x000000000042C000-memory.dmp