Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 06:21
Behavioral task
behavioral1
Sample
e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe
-
Size
719KB
-
MD5
e516dbf12f1aa8136f1b3463f544191c
-
SHA1
544c5c5e5f867354509f1f4b072e487a7f3198a9
-
SHA256
497d9334bc0bbbbc975d0d5bce327738f9ac23dc65b9599655217d2c3c0a9149
-
SHA512
a50028c75acd2df3848a673f7c44b77679fb0dc811edfa99674992915fb6e0518e4388f8d283622063db322fc93b26921068d279a546cdc7f1201328f6751311
-
SSDEEP
12288:tpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIb:PwAcu99lPzvxP+Bsz2XjWTRMQckkIb
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Windupdt\ e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2420 set thread context of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 -
resource yara_rule behavioral1/memory/2420-0-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-13-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-14-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-16-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2420-15-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-18-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-21-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-19-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-20-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2760-472-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2444 ping.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC2B3FB1-B898-11EF-AC25-4298DBAE743E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094e79a30e09e3b4092919bda256aef79000000000200000000001066000000010000200000002d46e25d9a52fa833758c5e26feed6088d0fe9bcd2a4489d7107917a188e3f2e000000000e80000000020000200000007005694bd7401f5d71934e0da1768cf76a390ac9d32f1d7383f1b978143a456590000000447fac9eddebdc6aa17db10c7357dadec6b20aceacb023cd86942798b8626639c37f45e7743e41c944dcfed728e98cb7a78cb3f903941606dafeb6b55b756accab76235033d54a7ec2dd7a683036f41d643a263017e4fd3a18ac8417b4acc7201bf1335635e9464bf1f91962e898e982037c364e1170f7f379b583519642f75fad7507648ab29e701be8559a8e43f150400000004009c1b5fbc8f265662a67318a7cc27db08bcfe17b43a9b56f92dfac8ee75a32d1a9d1275bcb3b96ae25d2393852cd8230d426b8b455bcef9df081379f2c9b8e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 208cda81a54cdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440177001" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000094e79a30e09e3b4092919bda256aef7900000000020000000000106600000001000020000000a3e2bc326ef0dcb8d9ce6934f102fb04ad78a4d4521c386a80589144fa0bab15000000000e8000000002000020000000517502ccb2ff2a28a104fbd6728b50518da60c57cc311db84b9e2d0b089c1785200000006f4bd2294220512099259c1c2807b14fc88d4b5f2842888464702a05ec25066a400000002d2e6923a62dafc699654156adaee0afc0c1ce6236c76da141833564318834821f35f4d42ded9295b17ec879eea64ce52158214829686aaba5d08eb4ee2e7887 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2444 ping.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeSecurityPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeSystemtimePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeBackupPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeRestorePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeShutdownPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeDebugPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeUndockPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeManageVolumePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeImpersonatePrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: 33 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: 34 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: 35 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2760 explorer.exe Token: SeSecurityPrivilege 2760 explorer.exe Token: SeTakeOwnershipPrivilege 2760 explorer.exe Token: SeLoadDriverPrivilege 2760 explorer.exe Token: SeSystemProfilePrivilege 2760 explorer.exe Token: SeSystemtimePrivilege 2760 explorer.exe Token: SeProfSingleProcessPrivilege 2760 explorer.exe Token: SeIncBasePriorityPrivilege 2760 explorer.exe Token: SeCreatePagefilePrivilege 2760 explorer.exe Token: SeBackupPrivilege 2760 explorer.exe Token: SeRestorePrivilege 2760 explorer.exe Token: SeShutdownPrivilege 2760 explorer.exe Token: SeDebugPrivilege 2760 explorer.exe Token: SeSystemEnvironmentPrivilege 2760 explorer.exe Token: SeChangeNotifyPrivilege 2760 explorer.exe Token: SeRemoteShutdownPrivilege 2760 explorer.exe Token: SeUndockPrivilege 2760 explorer.exe Token: SeManageVolumePrivilege 2760 explorer.exe Token: SeImpersonatePrivilege 2760 explorer.exe Token: SeCreateGlobalPrivilege 2760 explorer.exe Token: 33 2760 explorer.exe Token: 34 2760 explorer.exe Token: 35 2760 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2028 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2028 iexplore.exe 2028 iexplore.exe 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE 2912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2028 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2028 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2028 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2028 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 29 PID 2028 wrote to memory of 2912 2028 iexplore.exe 30 PID 2028 wrote to memory of 2912 2028 iexplore.exe 30 PID 2028 wrote to memory of 2912 2028 iexplore.exe 30 PID 2028 wrote to memory of 2912 2028 iexplore.exe 30 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2760 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 31 PID 2420 wrote to memory of 2444 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2444 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2444 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 32 PID 2420 wrote to memory of 2444 2420 e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\NEW TEXT DOCUMENT.HTML2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\e516dbf12f1aa8136f1b3463f544191c_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD546dda472b6acc3ffd19e77d9a05dcefc
SHA11a3d630bf36abedbb362ea4c570f651503c38f7c
SHA256d83066300d18d47bdd2497d444e4ea777d57b633fa33b7b7e8ef85391df9424f
SHA51280f95aec9f7de260b9fe8f7ae7fe98c6998e2db33330c2d7285b86f520f5f24198299c2901433ccba3483bf42fb69941268e3d99d0ff73166f6725d0e047cb51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6fc655b22116fcf7b9d14fea8f2f217
SHA11eb676d5b0c666571343cacb2e7e544f759bc518
SHA256409f019152c456a1073a462c15501ab68f6f0004f6d573c6946ead44cf5ae4ad
SHA512770418bfd8f827476ab27369a4442479fe9839317e3915db7279243727615f65166eabac472ebc84172cf7a54e9dd96de33492c1bc850c72e58b85d1414b834f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD581ef16a38811142469b7775ad81633fa
SHA132ae7d0eb12351c57956dd03ad582c712f73fe74
SHA2569b9f0276b05246e0f4748f8b3a53c7074e33f60ec1b9d27f9aca0f1e8d555f90
SHA5120dcf712a8bf26d9ddb442829f649d3e73b82e26bda137c819cf5a3373905ab81dfff8c452f177380cf46d85542915ca9c157f0d8ea5e5bbc624d643a30f5793b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed49e2727b7eeabbcd021f62a0d5a376
SHA155b7d402472a6accbd44ebb308263f31613d931b
SHA2563b64fbf8e0e6f6b348fbb53760b02754abbe325f199a7206cff42518dae4e483
SHA512e14572910c5503bbb8915b76258a5235f1510108cd9f53a467e96477cee6a82ddc32f8bbe2b9c7f61fd7db31f3d9276b09c73fef3b7e76d7cb293847045cf167
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58fb464a8cabd2bceff8cb35cf39cfd62
SHA1b5b3e88566a71adbf36b4d3aca69395ac15aa570
SHA256aebbd319e8b18ef9775c2ac24fade9ae1d2031b409ac3e02a77796bcb5aff14b
SHA5128150c22eae4510817b0a24b5440ba350d093787f78eea0233119ba78320cc6e7113ab4aaf864b125bf3030dcdba3e1d515b2fc671562f31f767e69330ab1c1ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab16d6883e12b79eea6eab8837ac8fb2
SHA15561c5cfdc62b32260bb9983e118a9fc457a0fd0
SHA2568dbe097f508a59f8fb71cc5917fc7b4a222af8361f94e10b56a82d05df64a011
SHA512e83d7c2d398e7a32ab424637ac4270f7a4e6312bc6fa365de5262530616f7a8f9453ce5a29bad0f44aba8986956e3bb03cbb16aad8d634f2ebf4d019e9e1c1d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbf060343c34c87a2b2e9e1508142485
SHA16762378eb55172e840b62b637abcf7b532e02e39
SHA256b9d48f419863d3ee71711f90bf133024cdf553c0cc989784dc87bbe40b52afef
SHA5123be1cd48133d754d029d205261fa5637cfc8b5a79bd5e90385d7768efda79a57fb42b26420a902b3b65aa6e2a1ac628a6f68cc941ef4fd432bf124429b649b36
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b8d28bfbb5a41252be3ab72339fcada
SHA15849116799a051aa766f12a528536b89b15617c2
SHA256e37db4b82a799f21b2fbca5bc61f03f9124875e90c3feb5404ff13200899cde1
SHA512ada9fc493ffba3cbfb9a41fb17f54ea01ea92e5f4ffb2759ad1a57fc24ccaae7241777892869faefe0cd724b3495bcd31e84e6654b5e1a6de698c23546f03b8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a9e4ce6799d01e9c2a0df85ba5d16848
SHA14a18eb97f66a74f24c4dd8aeff35c820e54153ab
SHA256e1996e6794930f7aec73e048561d8566f950b0050f0951686074e6d6e301ec74
SHA512c57b7860134a118902a14c8310af5212e405408d56d97869ea238e195016d29aedc89c5b872fb9be13303ff377f2af31340d8a86440613943d25047d3eb2009c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7f7b64d483c0d0178b08461448bb5d7
SHA1bc40d85322d4ac2b8dcd7e5d3c6f65aec190f5ec
SHA256d722379c626abb2ecff6481a140bf61f7907153c5f8b251f294260e461dcd71d
SHA5126a2f24b60bf5c2909d913c1efa5e17f0f2340444b97c18529a2168da240e321f32d8a1dc46d247e7cd9382d425584b5f942a2a5391c58da5382317e0e508b591
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ccd30fc32671b45ae5c818065adad746
SHA1fec133122ca012b94e0e231616766188dbe3e8c8
SHA256506f013c69b268afdc96e6a55e72c1b2d527df074225a6421d320568c6f81333
SHA5122c356cac91863f6c82901da7f63b19bc824f385cdf702d0e4e75f70b48db44a5bd4e3e1c9e776ca9ec7784aaffeea6192420215c2c2d7f158eef67c9c96e487c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2d7895e5464ac5143f574c5bcc078f3
SHA1babeffb4bb91513e1a05da130c4452ad4183c35a
SHA2568c4a0e2ac1c9f8bb17aeaf15faa96a1040b1f260e78443a08d3f744b62f19d80
SHA5129510c4ca34dfbd9229f97964253bd531718e2e3935f8a5d9c66ce585a2dd7c963487677a3e9200e4d43ae91e457d4e31d2e5e34ba21f3625c2d3f873160e0862
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2b8ab8aba9e7e2c2feb567725664c40
SHA13a473251879a227b847dbe1ca86456a2d8d27df7
SHA256d2d585fce164050b76e3531b42cfffcdda96901ae02b787e9a8a79ceb654a29c
SHA51232bf6a2e01ab05c315867ff1cfe37ac73c4b8a3671cae9d3fe36ed5b1ee05cd5aa154bf079f462508e4f995057251bfaa0e6f7d9051c0b6ba580e73c267dd406
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53427384e6ae64bfab8264ce4549106c6
SHA1ec011458bcf78fa9b759d75f072661cc82c9faea
SHA256e29e11297568daeac054a0401f9b98c00a93e01b2baead3b04a3e30cc23d7fa9
SHA51257ac970ee3882a59aed2907503e6c8f3e7b98704e6ee963b2d076887e309e8448b92c86af468bf701c0e32dcfd5ea2f5289e7989a9f3544e24acd1438da306d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590dd70b5b94042720e6c1bdcb70f98b6
SHA125d42c5d2633d08d1e9296a140c9bfc8d5f5c5a1
SHA256900b63a350357d3313a57dee757912a2a5f502faf00f5fdcff6092bbc66c33fe
SHA512b2fb6bcc569d9a23e32dacf9eea552dadd3cddb23ebf9e50ef2ff69841fd95eef8aa2ea81828c4b32993667e71076a37a1e3e786f7d04b7fe2b1d5a6405df0e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5aea11dc815ad23450b04e5107b9a988d
SHA12f01da10a56057d7656cc987904fa8ce9054eddd
SHA256d19d9d568600b59eaedefc36c9a9812d9a61afd12286675a91ae493c34bd952c
SHA512bc0b9e0a54e10c15b0b7a04bf526014c4172e9de8669706b8292b4b079b12ce1e2dbf79db4da3651be4b533f8e168da829f7e10f7876e3aa8cd60764113622be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a63ce1a710f84161a00544573c5b4341
SHA1c4a112a46f53d6293b166af0eb8f3800ae0875e8
SHA256bb591f52b2278ed7202179e9dddb287afdf6dc4bf1796bd36d6d51a69ca5a4bc
SHA512ecc6135dda365f1c9b6d0fedb665b5c4272f90ffb35c1f1e09012960c032b3ee0895b115c97233cf1c526c40a175ae14a3821da3e98afe63eebe256305a5106f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55028a2113b62dbe4718a0604619be152
SHA15474b38b51d988d0bb817eb40faf32f67e82eabd
SHA25624159225241219d1820c4e0298564cf4d1452fca8432384532c8717b1558febb
SHA512d15549a8658013424472a6a8fed0c9162a6df139b79e46750e6ffe597308580ecb798247229a71e81b922d000a0d50a3d7bcd31ad816bae1b56c2350256d761f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50a6c2bc2cf394dfba78aaa836e72251e
SHA192b1fb5b95ac7a43b1e09a92d87da76e753593de
SHA2567f1f037578fbcde2c01b22d4b38a10c912017ff460fca7a76d1465a782689a2a
SHA512e186ab75606684d45b7072c89f51bce4e570917970541f928993d8a45f319ab7e119914a5a4fe6e1416b74bdc0128b1a27149d72373c99f84a4e6e90ce2c3534
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD503cc7d863b0a80ebec310b29676eaeae
SHA1348014868ad0df9a847471bce34fe05dec88907f
SHA256859708efd4b69a9070c647fc14e3b7cdb1f87d741554bffbbbe67908374ebb0e
SHA512e0d4cfcf1dea2ab699b0809d94770ad7555346df4b81d2a6b371fb9086417e8997aeaf8f93dc612c4c39e879f1908ca4fed8e2795ac819bbad1488ac6870b7ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c363ba5715ea90d87e02d88ccefa0281
SHA1734dc696da9021a9d7954bb1bbc0cff68d946a91
SHA256c27dd0edb654dca1eeb84e6b5dd8f345b53fbf6461b77a1f00e1536c6b9f1fd6
SHA512ac46441f1df3b2a1b4dda6ed4ab090d579ff9aec3f58e247cc218e565836b41be61eb4e8a30c003353e9dc4152f5831b58c972e88a617bb785eaf47ac0a2dc71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD571aabb58b1ba40195707e78f63119e97
SHA12fb0415331638f9cc3eac0225fc8c173330ed1c6
SHA256770e2d93bebc793b43f53714e8541f7d79d3af469b17d0ff38eae45ac08377f8
SHA512f200ec13e31bbb7b06e5be63fdd1b0dcd7f0be9854938e85e8ad81ca099a8a6c7622d332c6d51cd15cfcc6a6402772c8511a5b8373e57668b006449d90fc4a2a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
233B
MD5f94cc60087aa6ae6197f3563779f7c69
SHA143a6e8b6b7340d94c8a1c1716f66ee2c480e9b85
SHA2569324a7623976e14ca6f708409b95d9cf039249f9a5f9f234e7bd4a080ab3a123
SHA5120fb7a807ebe7f48f273013407657d244f76785e4928c4e0ab4a6e9f9e4927586640d49f33a6a7fbf18239fa3790068146081752f846463765d0232b04f286011
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b