Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
-
Size
646KB
-
MD5
a36d5c7da72073f9b44f382f23df9b10
-
SHA1
a7e8b1507bfb258a8efbbcc3bd72734f144fe998
-
SHA256
2aba224a13f4d8602fd1f0e5f9373b3c958178bc79f51c34d0070a2742da1b93
-
SHA512
4a7ce1a30c8b7f37f679b8f37d3e6e0995b2b2320f06743318bf0f79786d0d724d862583472dd6fc0327ee87b9bdb68e0135813a029f96267d94fd707fb11be4
-
SSDEEP
12288:k/dr9yql7Xy+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNiyUdMONUzeosyu4M
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 3 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1588-93-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot behavioral1/memory/2788-158-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot behavioral1/memory/2968-160-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bdhost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" g6NuH2.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xeeuta.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1016 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 1712 g6NuH2.exe 2804 xeeuta.exe 2616 adhost.exe 3052 adhost.exe 2788 bdhost.exe 1588 bdhost.exe 2968 bdhost.exe 3048 cdhost.exe 332 csrss.exe 320 ddhost.exe -
Loads dropped DLL 12 IoCs
pid Process 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 1712 g6NuH2.exe 1712 g6NuH2.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /U" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /S" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /A" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /w" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /T" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /s" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /d" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /G" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /D" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /L" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /u" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /C" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /Q" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /c" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /i" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /I" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /z" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /o" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /K" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /e" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /j" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /R" g6NuH2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /r" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /a" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /n" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /l" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /t" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /h" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /P" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /b" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /H" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /x" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /g" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /B" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /Y" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /f" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /N" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /M" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /F" xeeuta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4E4.exe = "C:\\Program Files (x86)\\LP\\D3A4\\4E4.exe" bdhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /J" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /X" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /y" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /q" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /k" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /R" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /v" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /V" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /p" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /m" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /E" xeeuta.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeeuta = "C:\\Users\\Admin\\xeeuta.exe /O" xeeuta.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2916 tasklist.exe 1984 tasklist.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2504 set thread context of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2616 set thread context of 3052 2616 adhost.exe 39 PID 3048 set thread context of 656 3048 cdhost.exe 47 -
resource yara_rule behavioral1/memory/3008-9-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-4-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-2-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-15-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-13-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-12-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/3008-52-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral1/memory/1588-93-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2788-158-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/2968-160-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/3008-326-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LP\D3A4\4E4.exe bdhost.exe File opened for modification C:\Program Files (x86)\LP\D3A4\4E4.exe bdhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6NuH2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xeeuta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{77cb6740-d340-b2db-10a6-4c2e49be6ba3} explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77cb6740-d340-b2db-10a6-4c2e49be6ba3}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77cb6740-d340-b2db-10a6-4c2e49be6ba3}\cid = "7689930531805703945" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1712 g6NuH2.exe 1712 g6NuH2.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 2804 xeeuta.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe 2804 xeeuta.exe 3052 adhost.exe 3052 adhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 632 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2916 tasklist.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeDebugPrivilege 656 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeShutdownPrivilege 632 explorer.exe Token: SeDebugPrivilege 1984 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe 632 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 1712 g6NuH2.exe 2804 xeeuta.exe 320 ddhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 2504 wrote to memory of 3008 2504 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 30 PID 3008 wrote to memory of 1712 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1712 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1712 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 31 PID 3008 wrote to memory of 1712 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 31 PID 1712 wrote to memory of 2804 1712 g6NuH2.exe 33 PID 1712 wrote to memory of 2804 1712 g6NuH2.exe 33 PID 1712 wrote to memory of 2804 1712 g6NuH2.exe 33 PID 1712 wrote to memory of 2804 1712 g6NuH2.exe 33 PID 1712 wrote to memory of 2760 1712 g6NuH2.exe 34 PID 1712 wrote to memory of 2760 1712 g6NuH2.exe 34 PID 1712 wrote to memory of 2760 1712 g6NuH2.exe 34 PID 1712 wrote to memory of 2760 1712 g6NuH2.exe 34 PID 2760 wrote to memory of 2916 2760 cmd.exe 36 PID 2760 wrote to memory of 2916 2760 cmd.exe 36 PID 2760 wrote to memory of 2916 2760 cmd.exe 36 PID 2760 wrote to memory of 2916 2760 cmd.exe 36 PID 3008 wrote to memory of 2616 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 38 PID 3008 wrote to memory of 2616 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 38 PID 3008 wrote to memory of 2616 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 38 PID 3008 wrote to memory of 2616 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 38 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 2616 wrote to memory of 3052 2616 adhost.exe 39 PID 3008 wrote to memory of 2788 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 40 PID 3008 wrote to memory of 2788 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 40 PID 3008 wrote to memory of 2788 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 40 PID 3008 wrote to memory of 2788 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 40 PID 2788 wrote to memory of 1588 2788 bdhost.exe 41 PID 2788 wrote to memory of 1588 2788 bdhost.exe 41 PID 2788 wrote to memory of 1588 2788 bdhost.exe 41 PID 2788 wrote to memory of 1588 2788 bdhost.exe 41 PID 2788 wrote to memory of 2968 2788 bdhost.exe 43 PID 2788 wrote to memory of 2968 2788 bdhost.exe 43 PID 2788 wrote to memory of 2968 2788 bdhost.exe 43 PID 2788 wrote to memory of 2968 2788 bdhost.exe 43 PID 3008 wrote to memory of 3048 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 46 PID 3008 wrote to memory of 3048 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 46 PID 3008 wrote to memory of 3048 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 46 PID 3008 wrote to memory of 3048 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 46 PID 3048 wrote to memory of 656 3048 cdhost.exe 47 PID 3048 wrote to memory of 656 3048 cdhost.exe 47 PID 3048 wrote to memory of 656 3048 cdhost.exe 47 PID 3048 wrote to memory of 656 3048 cdhost.exe 47 PID 3048 wrote to memory of 656 3048 cdhost.exe 47 PID 656 wrote to memory of 332 656 explorer.exe 2 PID 3008 wrote to memory of 320 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 48 PID 3008 wrote to memory of 320 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 48 PID 3008 wrote to memory of 320 3008 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 48 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bdhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bdhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exea36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\g6NuH2.exeC:\Users\Admin\g6NuH2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\xeeuta.exe"C:\Users\Admin\xeeuta.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
-
C:\Users\Admin\adhost.exeC:\Users\Admin\adhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\adhost.exeadhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
-
-
C:\Users\Admin\bdhost.exeC:\Users\Admin\bdhost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2788 -
C:\Users\Admin\bdhost.exeC:\Users\Admin\bdhost.exe startC:\Users\Admin\AppData\Roaming\4F88F\0AED3.exe%C:\Users\Admin\AppData\Roaming\4F88F4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Users\Admin\bdhost.exeC:\Users\Admin\bdhost.exe startC:\Program Files (x86)\8F834\lvvm.exe%C:\Program Files (x86)\8F8344⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
C:\Users\Admin\cdhost.exeC:\Users\Admin\cdhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:656
-
-
-
C:\Users\Admin\ddhost.exeC:\Users\Admin\ddhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:320
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5793e3b9b3f1612591ab12ebdffbb9054
SHA1a249233ec9b8c79a0a7377f44c531319222a2328
SHA256164b11086c34eb76241ab092ecba3cb1684094324f061565d3a76d456b99cc7a
SHA5125919b7adf5d06708851a4826b9d75bd77314cbe283c39c05e920ab6ae7172b23d68e07e11b546287759d083ecbf4c41bc5a9182543cbc5edef4da3df79f5ece7
-
Filesize
996B
MD59a54ef145897d440e40afa94d54f9fd1
SHA15f54a498a35b7d305d377e304767aa95be3f83bd
SHA25634cedc0e8869b234c9404bdc946e42fa57f23d1b3df222646c8a535157af23cb
SHA512a24f2ffc2ceacd388ba68ae4510c8581501b6be8e15cb5b377eeb1f86d1e92d867d380e87d3844b609ec34438420c11338f7d01b90be02fb41979791289b2def
-
Filesize
1KB
MD5b4928832c32ded0217c79cb37900dbea
SHA17b8d8163afe6ef1357b849117311220876d4198c
SHA256e3ddf245a82173c8f8778fbda9c341b43c9910f4f43c171a8e234b5832540f9a
SHA51272216a4fc663e41b2cdc113629f2dde5096fc67a595131f402f9c48bbe187ca21dd3fed85dc69f7cb646fb2e99932080744b61398e1a469a9985bb295652cc83
-
Filesize
118KB
MD54abe6afa1ff995b70ef6511c1f0567ae
SHA180935a41582e0fb168c37d2960dce974cab5f0ab
SHA256fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8
SHA512bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565
-
Filesize
53KB
MD5d3bd9c7e7a29daa24c66dc62cd5f5633
SHA13895247052b6244659e73334e6398677dafa0ac1
SHA2566b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f
SHA512e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0
-
Filesize
2KB
MD5cdcb784bf76ae1ee31c6acdb13beaeb5
SHA166ce44d495c9d0a31dbd90dd7d08edeb770a0060
SHA2562de80198d80e3bef216100a8bd6d7c385b5ccf8e05186442c66ea5d54f5e705b
SHA51203773cee7960f7ac584d6ebab18bebeb5a113f2f9d215451b288293c84cc4a4f4e4b09e42ea593fdb84ea4566c2270bc3d58809f8376f6dfcbd6c284a1dbcfde
-
Filesize
172KB
MD536fa3dbb1702552896cc677b5bda52dc
SHA1c87f2707913047dcd2a896896fe2905b08c33985
SHA256e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74
SHA5129ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53
-
Filesize
174KB
MD5f3e286f3fc9467d3b9e56d41038b17d5
SHA13653c381586b01016a56de58d59300e431368162
SHA256ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f
SHA5120ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d
-
Filesize
24KB
MD571aecf19a1aec54e3d2c63f945cc6956
SHA112213f95739e45881458a7bbb429a0b7b363ccbf
SHA256c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf
SHA512a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4
-
Filesize
256KB
MD5be8379280ac23f08b8b091e1bc345eae
SHA1bb432b69277aec39e5566ec120d6fd8fe4e0097b
SHA256caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5
SHA512d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215
-
Filesize
256KB
MD555dcba31f9a8b680cf24082ff42f33cf
SHA167409a650987b77f8dd484c8243d95b243bd5222
SHA256ec2d563b9c1e74fe1c8a3dd1f98d857829760bc39126f1a4a52d3dbf70e15e93
SHA5128c2edf745112ad65e7065e555efdfce3d5c704835eb239f666421eba2c90cdc671740f7cd631ab40acc4b3fce117433fc2a1fcd2a6cb598761eb68613076e0a1