Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 05:20
Static task
static1
Behavioral task
behavioral1
Sample
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe
-
Size
451KB
-
MD5
841e3020571b7e88f6bdeb2feaae66ab
-
SHA1
74cd938eb712ec9ee46c4bc90fd33f100062bcba
-
SHA256
7becb47b7359803ce0c2e41b5900f6d15b14f53b04ed86d42c98ecababc7baf8
-
SHA512
5b0e69e3c85c3eb1c9b0bd50392d92ea6f7e7bf8f2283d4cd590355161948d3adff58d740c2373884fad89b582b1015b199125abcd95b56e7cf6c8f4e67e2d92
-
SSDEEP
12288:XHFIQcL99wRku+gY43RK9v00lfQv1dN8OqhdT+:XHEDgN3U9NW7N8OqD6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\jsched.exe = "C:\\Windows\\system32\\jsched.exe:*:Enabled:Explorer" 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Modiloader family
-
ModiLoader Second Stage 14 IoCs
Processes:
resource yara_rule behavioral2/memory/2164-15-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/4708-16-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral2/memory/2164-17-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/2164-13-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/2164-18-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/2164-19-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/2164-20-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/1468-58-0x0000000000400000-0x000000000043F000-memory.dmp modiloader_stage2 behavioral2/memory/2164-55-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3400-62-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3400-64-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3400-65-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3400-66-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3400-77-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
nvscpapisvr.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java micro kernel = "C:\\Windows\\nvscpapisvr.exe" nvscpapisvr.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run nvscpapisvr.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
nvscpapisvr.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3MR75YGX-3K56-2HV5-5E4Y-O82OBV535652} nvscpapisvr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3MR75YGX-3K56-2HV5-5E4Y-O82OBV535652}\StubPath = "\"C:\\Windows\\nvscpapisvr.exe\"" nvscpapisvr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
javaup12.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation javaup12.exe -
Executes dropped EXE 4 IoCs
Processes:
javaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exepid Process 4708 javaup12.exe 2164 javaup12.exe 1468 nvscpapisvr.exe 3400 nvscpapisvr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exenvscpapisvr.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched11 = "C:\\Windows\\system32\\jsched.exe" 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java micro kernel = "C:\\Windows\\nvscpapisvr.exe" nvscpapisvr.exe -
Drops file in System32 directory 3 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\jsched.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\Windows\SysWOW64\jsched.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\Windows\SysWOW64\javaup12.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exenvscpapisvr.exedescription pid Process procid_target PID 3776 set thread context of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 4708 set thread context of 2164 4708 javaup12.exe 94 PID 1468 set thread context of 3400 1468 nvscpapisvr.exe 97 -
Drops file in Program Files directory 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exedescription ioc Process File created C:\program files\icq\shared folder\Power ISO v4.2 + keygen axxo.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\G-Force Platinum v3.7.5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\PDF password remover (works with all acrobat reader).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\VmWare keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\LimeWire Pro v4.18.3.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\AVS video converter6.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Internet Download Manager V5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Microsoft.Windows 7 Beta1 Build 7000 x86.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\AnyDVD HD v.6.3.1.8 Beta incl crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Download Boost 2.0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\K-Lite codec pack 4.0 gold.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Nero 9 9.2.6.0 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Windows 2008 Enterprise Server VMWare Virtual Machine.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Microsoft Office 2007 Home and Student keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Alcohol 120 v1.9.7.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Grand Theft Auto IV (Offline Activation).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Super Utilities Pro 2009 11.0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Magic Video Converter 8 0 2 18.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Microsoft Office 2007 Home and Student keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Opera 9.62 International.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Motorola, nokia, ericsson mobil phone tools.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Norton Anti-Virus 2009 Enterprise Crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\CleanMyPC Registry Cleaner v6.02.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Windows2008 keygen and activator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\Divx Pro 6.8.0.19 + keymaker.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\Tuneup Ultilities 2008.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Youtube Music Downloader 1.0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Divx Pro 6.8.0.19 + keymaker.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Windows2008 keygen and activator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Windows XP PRO Corp SP3 valid-key generator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\Opera 9.62 International.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Total Commander7 license+keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Google Earth Pro 4.2. with Maps and crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Windows XP PRO Corp SP3 valid-key generator.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Smart Draw 2008 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Google Earth Pro 4.2. with Maps and crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Google Earth Pro 4.2. with Maps and crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Ad-aware 2009.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\LimeWire Pro v4.18.3.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\WinRAR v3.x keygen RaZoR.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Avast 4.8 Professional.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Sophos antivirus updater bypass.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\Perfect keylogger family edition with crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\LimeWire Pro v4.18.3.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Norton Anti-Virus 2009 Enterprise Crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Sophos antivirus updater bypass.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Super Utilities Pro 2009 11.0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\AnyDVD HD v.6.3.1.8 Beta incl crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Power ISO v4.2 + keygen axxo.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\winmx\shared\DVD Tools Nero 9 2 6 0.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Windows 2008 Enterprise Server VMWare Virtual Machine.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\icq\shared folder\Ad-aware 2009.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Sony Vegas Pro 8 0b Build 219.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\Nero 9 9.2.6.0 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\limewire\shared\AnyDVD HD v.6.3.1.8 Beta incl crack.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\tesla\files\Internet Download Manager V5.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\grokster\my grokster\Kaspersky Internet Security 2009 keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Total Commander7 license+keygen.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\emule\incoming\Winamp.Pro.v6.53.PowerPack.Portable+installer.exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe File created C:\program files\morpheus\my shared folder\PDF password remover (works with all acrobat reader).exe 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
javaup12.exedescription ioc Process File created C:\Windows\nvscpapisvr.exe javaup12.exe File opened for modification C:\Windows\nvscpapisvr.exe javaup12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaup12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language javaup12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvscpapisvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvscpapisvr.exe -
Modifies registry class 1 IoCs
Processes:
javaup12.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ javaup12.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exepid Process 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exejavaup12.exejavaup12.exenvscpapisvr.exenvscpapisvr.exedescription pid Process procid_target PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 3776 wrote to memory of 4624 3776 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 84 PID 4624 wrote to memory of 4708 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 93 PID 4624 wrote to memory of 4708 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 93 PID 4624 wrote to memory of 4708 4624 841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe 93 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 4708 wrote to memory of 2164 4708 javaup12.exe 94 PID 2164 wrote to memory of 1468 2164 javaup12.exe 96 PID 2164 wrote to memory of 1468 2164 javaup12.exe 96 PID 2164 wrote to memory of 1468 2164 javaup12.exe 96 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 1468 wrote to memory of 3400 1468 nvscpapisvr.exe 97 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100 PID 3400 wrote to memory of 4848 3400 nvscpapisvr.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\841e3020571b7e88f6bdeb2feaae66ab_JaffaCakes118.exe2⤵
- Modifies firewall policy service
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\javaup12.exe"C:\Windows\system32\javaup12.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\javaup12.exeC:\Windows\SysWOW64\javaup12.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\nvscpapisvr.exe"C:\Windows\nvscpapisvr.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\nvscpapisvr.exeC:\Windows\nvscpapisvr.exe6⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:4848
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD573724d8bf5297c7423afb1abf90858fb
SHA141f3ef6857c9d0e63c725b16da9e33a093a9d957
SHA25695697f17ba0b6f93393031812489ee3211a0d06a804891d1c1f167a7502e6b80
SHA512ecc0e8d2e89562eb7046bb759cb7d26f1c386aef0706e52830227a596f6fd7689a41eb72c98cdf18293702a2b4e4948296b8465d6df817282c5edf0418bd7283