Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 18:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe
-
Size
646KB
-
MD5
a36d5c7da72073f9b44f382f23df9b10
-
SHA1
a7e8b1507bfb258a8efbbcc3bd72734f144fe998
-
SHA256
2aba224a13f4d8602fd1f0e5f9373b3c958178bc79f51c34d0070a2742da1b93
-
SHA512
4a7ce1a30c8b7f37f679b8f37d3e6e0995b2b2320f06743318bf0f79786d0d724d862583472dd6fc0327ee87b9bdb68e0135813a029f96267d94fd707fb11be4
-
SSDEEP
12288:k/dr9yql7Xy+mO0FKUDTtMi1NzW/DaRMvNXx265syu4MrZ:kl8qNiyUdMONUzeosyu4M
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" g6NuH2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fubuy.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation g6NuH2.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe -
Executes dropped EXE 7 IoCs
pid Process 2428 g6NuH2.exe 1012 fubuy.exe 400 adhost.exe 1564 adhost.exe 2648 bdhost.exe 5032 cdhost.exe 4472 ddhost.exe -
Adds Run key to start application 2 TTPs 51 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /s" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /e" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /D" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /O" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /U" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /f" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /q" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /T" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /L" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /z" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /Y" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /B" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /Z" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /j" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /r" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /F" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /V" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /W" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /p" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /m" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /x" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /k" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /N" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /a" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /Q" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /w" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /E" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /d" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /X" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /n" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /b" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /I" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /G" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /y" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /u" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /A" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /W" g6NuH2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /R" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /h" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /J" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /H" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /g" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /c" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /t" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /K" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /i" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /v" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /o" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /C" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /S" fubuy.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fubuy = "C:\\Users\\Admin\\fubuy.exe /l" fubuy.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1552 tasklist.exe 2528 tasklist.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 988 set thread context of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 400 set thread context of 1564 400 adhost.exe 105 PID 5032 set thread context of 2296 5032 cdhost.exe 112 -
resource yara_rule behavioral2/memory/2112-3-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-4-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-7-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-10-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-9-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-56-0x0000000000400000-0x00000000004C4000-memory.dmp upx behavioral2/memory/2112-100-0x0000000000400000-0x00000000004C4000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2020 2648 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language g6NuH2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bdhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fubuy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 g6NuH2.exe 2428 g6NuH2.exe 2428 g6NuH2.exe 2428 g6NuH2.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1564 adhost.exe 1564 adhost.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1564 adhost.exe 1564 adhost.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1564 adhost.exe 1564 adhost.exe 1012 fubuy.exe 1012 fubuy.exe 1564 adhost.exe 1564 adhost.exe 1564 adhost.exe 1564 adhost.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1012 fubuy.exe 1564 adhost.exe 1564 adhost.exe 1012 fubuy.exe 1012 fubuy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1552 tasklist.exe Token: SeDebugPrivilege 2528 tasklist.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 2428 g6NuH2.exe 1012 fubuy.exe 4472 ddhost.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 988 wrote to memory of 2112 988 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 97 PID 2112 wrote to memory of 2428 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 98 PID 2112 wrote to memory of 2428 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 98 PID 2112 wrote to memory of 2428 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 98 PID 2428 wrote to memory of 1012 2428 g6NuH2.exe 100 PID 2428 wrote to memory of 1012 2428 g6NuH2.exe 100 PID 2428 wrote to memory of 1012 2428 g6NuH2.exe 100 PID 2428 wrote to memory of 2936 2428 g6NuH2.exe 101 PID 2428 wrote to memory of 2936 2428 g6NuH2.exe 101 PID 2428 wrote to memory of 2936 2428 g6NuH2.exe 101 PID 2936 wrote to memory of 1552 2936 cmd.exe 103 PID 2936 wrote to memory of 1552 2936 cmd.exe 103 PID 2936 wrote to memory of 1552 2936 cmd.exe 103 PID 2112 wrote to memory of 400 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 104 PID 2112 wrote to memory of 400 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 104 PID 2112 wrote to memory of 400 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 104 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 400 wrote to memory of 1564 400 adhost.exe 105 PID 2112 wrote to memory of 2648 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 106 PID 2112 wrote to memory of 2648 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 106 PID 2112 wrote to memory of 2648 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 106 PID 2112 wrote to memory of 5032 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 111 PID 2112 wrote to memory of 5032 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 111 PID 2112 wrote to memory of 5032 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 111 PID 5032 wrote to memory of 2296 5032 cdhost.exe 112 PID 5032 wrote to memory of 2296 5032 cdhost.exe 112 PID 5032 wrote to memory of 2296 5032 cdhost.exe 112 PID 2112 wrote to memory of 4472 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 115 PID 2112 wrote to memory of 4472 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 115 PID 2112 wrote to memory of 4472 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 115 PID 2112 wrote to memory of 1964 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 117 PID 2112 wrote to memory of 1964 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 117 PID 2112 wrote to memory of 1964 2112 a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe 117 PID 1964 wrote to memory of 2528 1964 cmd.exe 119 PID 1964 wrote to memory of 2528 1964 cmd.exe 119 PID 1964 wrote to memory of 2528 1964 cmd.exe 119 PID 1012 wrote to memory of 2528 1012 fubuy.exe 119 PID 1012 wrote to memory of 2528 1012 fubuy.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exea36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\g6NuH2.exeC:\Users\Admin\g6NuH2.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Users\Admin\fubuy.exe"C:\Users\Admin\fubuy.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del g6NuH2.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
-
-
C:\Users\Admin\adhost.exeC:\Users\Admin\adhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\adhost.exeadhost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564
-
-
-
C:\Users\Admin\bdhost.exeC:\Users\Admin\bdhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 3324⤵
- Program crash
PID:2020
-
-
-
C:\Users\Admin\cdhost.exeC:\Users\Admin\cdhost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\explorer.exe000000FC*4⤵PID:2296
-
-
-
C:\Users\Admin\ddhost.exeC:\Users\Admin\ddhost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4472
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del a36d5c7da72073f9b44f382f23df9b10_JaffaCakes118.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2648 -ip 26481⤵PID:1052
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD536fa3dbb1702552896cc677b5bda52dc
SHA1c87f2707913047dcd2a896896fe2905b08c33985
SHA256e8a3a99554c8aea64d2afa291655795896fbc14d053d3d29178c3536eee39f74
SHA5129ace90bd8e81b507d2db75a493554b4a676730271883976033e4025dc6d19250070b6fd8825905e2aeea213bfc271e5d2c43a2eeca86bce0b3db497801731c53
-
Filesize
174KB
MD5f3e286f3fc9467d3b9e56d41038b17d5
SHA13653c381586b01016a56de58d59300e431368162
SHA256ec735fb26d310b803d6c4370b7cdd2a4e0f100dc442d0545f3742b3b48da5f3f
SHA5120ba3b50c8dbce8da4f3a312a8f57375b102dcc7348485300b1d65fec3b6f55f62eb54e8252ddd4d73620442813731f7bfceb84c122c07a778afde76d8a642e2d
-
Filesize
118KB
MD54abe6afa1ff995b70ef6511c1f0567ae
SHA180935a41582e0fb168c37d2960dce974cab5f0ab
SHA256fba532bcf20eaba48015c06e52efd121a46dffad4a293d47d1ccc6529e0beae8
SHA512bd8521102317e02b91025d8f3b5976e3ea6a93b82d8ca76bc05f43ca845d92d1a206d1a2710c194a018504a1578004f154d83c26243ffa2336a19610ee51c565
-
Filesize
24KB
MD571aecf19a1aec54e3d2c63f945cc6956
SHA112213f95739e45881458a7bbb429a0b7b363ccbf
SHA256c98cd0c456aa393a80d81d259dc8077edaf44d833e0691054291a9ba285f74cf
SHA512a8634acb97730db9415fd5cb93cb23e1adea0d19c182cf3daf423a73d76dbf7cd3ae1829a3a24fefaab8ffa3fb5e3b93662559067590c7a6779ead71b8f145e4
-
Filesize
256KB
MD50f66451a529589824a780253a08fa560
SHA174d57a814c9305a13dd6b6a814df23771853bf89
SHA25626116120258aa484b185b7ce1340adf7e3bea27273ec1b4bbae81f42950a84b9
SHA51281d731968394f0222092adc1e7e440a72ea884968769dcfdecfcca3005a12e99c7cd1567d6e007450d014bfd1ea9aa27835ffed2894b44d3a709b456d85a3eff
-
Filesize
256KB
MD5be8379280ac23f08b8b091e1bc345eae
SHA1bb432b69277aec39e5566ec120d6fd8fe4e0097b
SHA256caf1a47f843337e61a31e6faf6745bd9fd70e14af77f171c8764ea9d2fbe9dc5
SHA512d5a26da6a5ded9961cc995a8f6e53b9a97d95330654a1e1e588ddcabcf4d058fe527b1d68de057b8b73be49f4bcb64b58db229a2007c9eb5858a7f1d81ddd215