Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 05:20
Static task
static1
Behavioral task
behavioral1
Sample
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
-
Size
451KB
-
MD5
841e3020571b7e88f6bdeb2feaae66ab
-
SHA1
74cd938eb712ec9ee46c4bc90fd33f100062bcba
-
SHA256
7becb47b7359803ce0c2e41b5900f6d15b14f53b04ed86d42c98ecababc7baf8
-
SHA512
5b0e69e3c85c3eb1c9b0bd50392d92ea6f7e7bf8f2283d4cd590355161948d3adff58d740c2373884fad89b582b1015b199125abcd95b56e7cf6c8f4e67e2d92
-
SSDEEP
12288:XHFIQcL99wRku+gY43RK9v00lfQv1dN8OqhdT+:XHEDgN3U9NW7N8OqD6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 2 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\jsched.exe = "C:\\Windows\\system32\\jsched.exe:*:Enabled:Explorer" 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Modiloader family
-
ModiLoader Second Stage 14 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-47-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-49-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-46-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/316-45-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2708-43-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-40-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-38-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-36-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-34-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-51-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2708-78-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2616-81-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral1/memory/2580-85-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral1/memory/2580-83-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 -
Executes dropped EXE 4 IoCs
Processes:
javaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exepid Process 316 javaup12.exe 2708 javaup12.exe 2616 nvscpapisvr.exe 2580 nvscpapisvr.exe -
Loads dropped DLL 4 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exejavaup12.exepid Process 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 316 javaup12.exe 2708 javaup12.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = "C:\\Windows\\system32\\jsched.exe" 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\jsched.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\Windows\SysWOW64\jsched.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\Windows\SysWOW64\javaup12.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exenvscpapisvr.exedescription pid Process procid_target PID 2536 set thread context of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 316 set thread context of 2708 316 javaup12.exe 33 PID 2616 set thread context of 2580 2616 nvscpapisvr.exe 35 -
Drops file in Program Files directory 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process File created C:\program files\emule\incoming\DVD Tools Nero 9 2 6 0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Daemon Tools Pro 4.11.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\K-Lite codec pack 4.0 gold.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\WinRAR v3.x keygen RaZoR.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\K-Lite codec pack 4.0 gold.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Adobe Photoshop CS4 crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Absolute Video Converter 6.2.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Total Commander7 license+keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\K-Lite codec pack 3.10 full.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\PDF password remover (works with all acrobat reader).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Windows2008 keygen and activator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Windows 2008 Enterprise Server VMWare Virtual Machine.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Adobe Photoshop CS4 crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\BitDefender AntiVirus 2009 Keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Adobe Acrobat Reader keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Ad-aware 2009.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Norton Anti-Virus 2009 Enterprise Crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\AVS video converter6.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\BitDefender AntiVirus 2009 Keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Download Accelerator Plus v8.7.5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\G-Force Platinum v3.7.5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\VmWare keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Microsoft Office 2007 Home and Student keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Adobe Acrobat Reader keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Download Accelerator Plus v8.7.5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Magic Video Converter 8 0 2 18.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\K-Lite codec pack 4.0 gold.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Windows XP PRO Corp SP3 valid-key generator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\K-Lite codec pack 3.10 full.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Ad-aware 2009.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Download Boost 2.0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\LimeWire Pro v4.18.3.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Absolute Video Converter 6.2.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Microsoft.Windows 7 Beta1 Build 7000 x86.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\LimeWire Pro v4.18.3.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Power ISO v4.2 + keygen axxo.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Winamp.Pro.v6.53.PowerPack.Portable+installer.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Opera 9.62 International.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Ad-aware 2009.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Power ISO v4.2 + keygen axxo.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Winamp.Pro.v6.53.PowerPack.Portable+installer.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Kaspersky Internet Security 2009 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\BitDefender AntiVirus 2009 Keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\AnyDVD HD v.6.3.1.8 Beta incl crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Sophos antivirus updater bypass.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\AVS video converter6.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Internet Download Manager V5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Nero 9 9.2.6.0 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\K-Lite codec pack 3.10 full.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Avast 4.8 Professional.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Windows 2008 Enterprise Server VMWare Virtual Machine.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Internet Download Manager V5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Microsoft Visual Studio 2008 KeyGen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Internet Download Manager V5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Avast 4.8 Professional.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Google Earth Pro 4.2. with Maps and crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Windows XP PRO Corp SP3 valid-key generator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
javaup12.exedescription ioc Process File created C:\Windows\nvscpapisvr.exe javaup12.exe File opened for modification C:\Windows\nvscpapisvr.exe javaup12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaup12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaup12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvscpapisvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvscpapisvr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exepid Process 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exedescription pid Process procid_target PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2536 wrote to memory of 2248 2536 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 31 PID 2248 wrote to memory of 316 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 32 PID 2248 wrote to memory of 316 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 32 PID 2248 wrote to memory of 316 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 32 PID 2248 wrote to memory of 316 2248 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 32 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 316 wrote to memory of 2708 316 javaup12.exe 33 PID 2708 wrote to memory of 2616 2708 javaup12.exe 34 PID 2708 wrote to memory of 2616 2708 javaup12.exe 34 PID 2708 wrote to memory of 2616 2708 javaup12.exe 34 PID 2708 wrote to memory of 2616 2708 javaup12.exe 34 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2616 wrote to memory of 2580 2616 nvscpapisvr.exe 35 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36 PID 2580 wrote to memory of 2784 2580 nvscpapisvr.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe2⤵
- Modifies firewall policy service
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\javaup12.exe"C:\Windows\system32\javaup12.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\javaup12.exeC:\Windows\SysWOW64\javaup12.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\nvscpapisvr.exe"C:\Windows\nvscpapisvr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\nvscpapisvr.exeC:\Windows\nvscpapisvr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2784
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD573724d8bf5297c7423afb1abf90858fb
SHA141f3ef6857c9d0e63c725b16da9e33a093a9d957
SHA25695697f17ba0b6f93393031812489ee3211a0d06a804891d1c1f167a7502e6b80
SHA512ecc0e8d2e89562eb7046bb759cb7d26f1c386aef0706e52830227a596f6fd7689a41eb72c98cdf18293702a2b4e4948296b8465d6df817282c5edf0418bd7283