c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Size

528KB
MD5

fc0eed6b92b5874b37367f08538de1d1
SHA1

7c0d33e53b16c3a6803122e3fa6561d787041210
SHA256

c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7
SHA512

1356e7f9c060d537f62cf3bb2b75c5ad3ab08b049d5ddd0059a5f405ebbfd0a0ecf40558799d05e2dcedaf99d566c451487d7de3135e7b561bf8bfb1d0915913
SSDEEP

12288:xjLgk4QdQLUq0JhMOuWqyEiPjF7OomtZkga:AEQIvJhMWxZVOomjk

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2568	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1776	Windows Update.exe
7228	Windows Update.exe
7316	Windows Update.exe

Loads dropped DLL 16 IoCs

pid	Process
1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1776	Windows Update.exe
1776	Windows Update.exe
1776	Windows Update.exe
1776	Windows Update.exe
7228	Windows Update.exe
7228	Windows Update.exe
7228	Windows Update.exe
1776	Windows Update.exe
7316	Windows Update.exe
7316	Windows Update.exe
7316	Windows Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\Windows Update.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 set thread context of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1776 set thread context of 7228	1776	Windows Update.exe	37
PID 1776 set thread context of 7316	1776	Windows Update.exe	38
PID 1776 set thread context of 8160	1776	Windows Update.exe	39

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2916-1614-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2568-1613-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2568-1624-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7228-3200-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7228-3206-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7316-3418-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2916-3415-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/7316-3848-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Update.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440696860"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1007E9C1-BD53-11EF-9C44-E61828AB23DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe
Token: SeDebugPrivilege	7316	Windows Update.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2764	DllHost.exe
8160	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2568	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
1776	Windows Update.exe
7228	Windows Update.exe
7316	Windows Update.exe
8160	iexplore.exe
8160	iexplore.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2764	DllHost.exe
2764	DllHost.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2568	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 1260 wrote to memory of 2916	1260	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	31
PID 2916 wrote to memory of 2656	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2656	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2656	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2656	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	33
PID 2656 wrote to memory of 1644	2656	cmd.exe	35
PID 2656 wrote to memory of 1644	2656	cmd.exe	35
PID 2656 wrote to memory of 1644	2656	cmd.exe	35
PID 2656 wrote to memory of 1644	2656	cmd.exe	35
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 2916 wrote to memory of 1776	2916	fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe	36
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7228	1776	Windows Update.exe	37
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 7316	1776	Windows Update.exe	38
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39
PID 1776 wrote to memory of 8160	1776	Windows Update.exe	39

C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\IWWKL.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1644
- - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:7228
  - - C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe
      "C:\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:7316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:8160
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8160 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2900

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5c40121bcde19e6177b331081ae5d9e

SHA1
cadc45d58df2c60aef96c76c39fac2b79a22bb58

SHA256
f8aadaae771d25c975b9fa0070455e3fc44d1ac5833552829a894dc642028d50

SHA512
ecb289bfa45bd6562f42893568a1f870641b61bc9bf7c285cb12a994cf8da8527e4e96e1ad39b66d20ce75b5cd41fddf1919974f44ad10f36ab548d1d1fb76f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b880d5bae73c892521fb346fe146af3

SHA1
a05698a9dc937aa9d9dc9b871af972d9c48170fd

SHA256
a08110904b0fd324b5ab59d7b19b52447ac5e6d560145073345da9848c72926e

SHA512
3424e5f7697e2113163869d5a1f3abf48a6bfda90896657ba053c40e9ef810343a962feb973212687364beb360c428a5c35d48fa763478931033292506a66ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dd563d1ffcd4b3d7c51b9927abac5f0

SHA1
8f25d2ba61956f976db54cfd21769b7ad6f44476

SHA256
0d5759483e236c2821670dd402a1fac48690d67618907f16203e9e5b1c83c3fd

SHA512
0eb9597bb4fe488d59b47ea051f8415da7cf246ed6d9147d220d69893c4666ea0aaef3581170d4a735f6d6f8876351b699e9dc1fe7a93352abc1c68cc98d242d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
025dcb3578690b47a702311ecbb3931b

SHA1
3474dc9462e78373adf2b51de8388be7863c738e

SHA256
322a6985cb93f8043dc7dd3287a84cafc7dc7620fc239cfd48c40157c935521e

SHA512
4475ec14e9172edb69690c49ec23a79853af03a8cce92975446a95e82411b846cf42b4b32905c79226c7178923c5950abdfdc330f2fed59150eb8f072de4c51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef82dadc407bc21467b5b5fdbdc53b5f

SHA1
03fb0e8a5a777138c512a3d23741e3e7faed9e88

SHA256
5fff21ba54b1cba3daafba1d4b084164fd12756accb40341723faa9440cd78b3

SHA512
b250aca6470f5c7ab102dab48bd3bc5333d52801450da3b2f13a60715b8bc02cc88c16a539c57bd21934b9098d89a8d2f7086c885f9b3bcd5e21380d07eb6bd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e833e104219519be87098f7beef0914b

SHA1
cb63ce9ef531ccf3170a79f628827be9f20a3c74

SHA256
1f285e7188fcc1936fea8f60352c3774d01b265ad8485b90f5636735b224721c

SHA512
ede9a23c3715e4a6f0460cf832c1f55a7e2eebfdb7b6b1ff96fb76fe389d44f258b48ce08ab57adea4b2643752cbbd36be6e88312e57f0524babfe6fcfd9a810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc27c78c4f3faad1948b89cdda6df265

SHA1
4f72b1f0ac15f2baf3b799be8a85d67d08893ddf

SHA256
bcf63bab5f1701f3b2993a5a78f5ff4548b9045bc670800039a7001fc0731a9e

SHA512
3d3670153ebc14e9275e496e716d6b938a406eb747bcf2b21d2162f81bf6b07fc86bb4fe802af0922571b0a9bb2abd71325f36d3eb7f1240481a46a7cd073f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796708204b5ae5a7ad07b3b5b06ec057

SHA1
c4bb5897aca63081ada57b73ef3ed680c508c9e7

SHA256
31d8bd2809d3d27f29f09916c1fcbe8f0546f99661770778f2354620722af53a

SHA512
403103b2d484b3c6b767929d1ef9e46fcf3a5bca91a450babaf4452d172f7cc83135922081bdfe436c78c4a2d43b95bc5efb69ae7f5a5c4171f1efa9f4117c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
924338ff00fe4c3831699990e2b23110

SHA1
63c1142daa7d3427914814890dc2657ec69957a3

SHA256
60ef6a52162c56fb81f53787660ea73c1709994320df62ae51b15e3692df8144

SHA512
20b5632251af96e57574be900690750c2f6f3a90f8bd20ba25afcb6ff96860a7dad73bdf7b24222bb236bbcd1a91123c29dc114524ae60eee74238c6056f499d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6520896c704fa44f7f02a32eedf01c5f

SHA1
db9f2c7b56491e7747bc663013f1b4369cb7fed5

SHA256
50336f5169b14ab70f38f52c4b8fe0022d090781b7a5433e7fd855c38ba8d3ec

SHA512
17d6a32a9de1b071f280b0697b0cb2cd3866951221546fe99492802014d6264b110c4c1517e49a8e3752434b585b65ce8f65cab85cedc7631e949450a80acd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0f2c040e9911e2f6e1efd5be6758155

SHA1
bc0736d7caa34e06b891031e0ed1e620dce601cc

SHA256
cc5ca03e28cea2909e0924c984faf49ef1678e107df4de3a0bfea161ecbdda0d

SHA512
859ec29558cccc9f0d1eed4e80ab61c822a2b0ed0799e06de10148002ee0c10e33ba8fe2300900261aaea1fa388398ccd209d673adbb3dbbe5c5db988f16029a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82b47b7f97a7e9370381450157b7b82d

SHA1
4f002d789ddbc0cf78cd0cf72ec8f34f25b92115

SHA256
6b18979d7b1dcb6458140b7d7f6d92e08b47ddce4c0672852684de66e5892c0e

SHA512
71130edd6c518e158de7ec6b6599836fe5a0fdd6f5864136662048923d0f49859f90ae9846af1ef26c9924510dc9a1a1a8291268cd1de6aff173116153cd8a16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c78ce2c68068320d008ea24cb38e4c17

SHA1
90edcacc5baeaf07b99951e5353a61c97ed31a26

SHA256
3d8faa11575656d4e76b2884e6f444b9e49e8b62b5e5ea6139b88d20c5f77531

SHA512
35ac1921724e439da1593dda312abd5111dff05a68189874f69f7e64682532d27d98080b444dd989464e7e418ec74a5d95754e3ef23f8297fe483a29a75bfcfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b3d8bb3ab8d75fbff1e76e3146f5035

SHA1
85bcef34019c91760006c1f3b023ffe94656c9ee

SHA256
bea361d6f7e18f4717c71172a3ecb994b32685f267e3bf47246dba8892491d32

SHA512
cd34853741d1da02bb4c3cea0c5838d64b993005b7a5693065caea46b59be0418da02b6ac0c829de573bd4fcee71bdc624d63a99d2a426d2d605dc174cead308

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6feb6eed8bf031a3c6739f3377064a18

SHA1
88038b325fdcb5b5700525a507458d5d5e97d6fb

SHA256
3f13fcdd6d8d85def25f8d126655ce5631d348ef3d6eb3dcfdb12def2079d5c9

SHA512
bd3f0d363f374e6c5e01d995c39da09d79d564dbceef4fe0305afb389c0cbf0d984175fd5abfc23bc4a28d0b3e5699863341fbe32671f0e4e76713cab19776cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
385fc6ac6bdd9bfccb503e1d6ba79908

SHA1
0b8b6243ac956596d10d7166910cc9357c2194ab

SHA256
78afa48deb5e9d9591d80447f6c0cb1e76dc261cccf8adea43abdde2368f6cd8

SHA512
8e4ce258f2c5f93e0e907091ffea59b991c55c1605f2aae48ef91fcf169070f570410409e16ed438332e3a7181425b7dfe0d2eff4bad05ec4718270abb7afee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88a5e2a7e38b9612b26bb97e1e8698c2

SHA1
9334b2d42a104200be6557dd27926242055e036f

SHA256
11bf2cbc8fb115908d74ad9ff43066137284cf7b1e1ff78b61cd418ace3a6a97

SHA512
dcb440e9d0ad5efb921c0ebd959e7f83b2fa8cfe725c58fc1a905c3166a44318b5334d6e4ce7d1071f45ffea81e56d48a529235008a2b89b6424fd6d3a31ba58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fd1d45305c938bb91781abd8c73af80

SHA1
c0b04d658927e5b77d50be7244e6475e18819276

SHA256
2faaa9f1137b26f53ce61df2a8187e593a2e8aa92bca5bded4b413c67c87c15d

SHA512
b8761593788e3b3dd80c8a36ae241a8deb1da50127c7d5c849373bdbd4dcaeae778a10d99d90d4a6ae7d6e1b998de69c720707441d905ee8d3bf28b44759def8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbd4c0ee677652c3cb6ba8950b226da8

SHA1
9f8fef415ca2e3547b67fa0a092ca2b58d5ef663

SHA256
444b5b89d3a0ee075c34286d00c2370d4a367c0fa4f3f82749eca3e3aafd1730

SHA512
8ab1cb6b2760496ef099db15b571ce53625dba470294551c3ee3cc9591e8010db3c2de5907a2a7c5fdde239b64b2fbcd7ffc9b9caad102900eccff59562f76a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IWWKL.bat

Filesize
165B

MD5
55078117cf471e8a8121dbc8f6d159bb

SHA1
5b19af55ad6ac1d5f7a9d6fd972d2785266f5e63

SHA256
f62c2d6aa9e97285e74642e8d7b97dcb01221f73d93e829f220e116616034c6e

SHA512
8a4950bf5162a1620246772a4a37632feb22748077702c9f8ee2e510d501be4ad3789f1d90f780d6d34525ec1ba51bf32d64ff4babd7e067cde55c4c690783d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PKUPL.jpg

Filesize
10KB

MD5
b88339034e7902b856a7a45c50869e01

SHA1
181fe968e4c15f2dca6a241f552b6e955e5a0033

SHA256
f927f4ffa26255b3f90d29fe426830744cc37671d69b57abb07f1e5e6f343371

SHA512
1d1c327d63697465e5a4d9149e73cd75b723350e7af19bc0073ea2c0a4b56f67aadbe618d8444c4f678bcca98253e9b078aa8d881be296e2c3f42c3e787b3555

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF18.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\fc0eed6b92b5874b37367f08538de1d1_JaffaCakes118.exe

Filesize
528KB

MD5
fc0eed6b92b5874b37367f08538de1d1

SHA1
7c0d33e53b16c3a6803122e3fa6561d787041210

SHA256
c9f3a9caa9b0a67bca48ff6de615351465d0548ca32d7fdaf87dc19a011ff4f7

SHA512
1356e7f9c060d537f62cf3bb2b75c5ad3ab08b049d5ddd0059a5f405ebbfd0a0ecf40558799d05e2dcedaf99d566c451487d7de3135e7b561bf8bfb1d0915913

Download Submit
\Users\Admin\AppData\Roaming\Windows Update\Windows Update.exe

Filesize
528KB

MD5
456baa19329d1451e293e4f885d3a284

SHA1
f84b013ce459ef2fe5c702925de536bf1ff765e3

SHA256
92afb92ed87f1c521f45b1805b596e7e76562ff59d47aea29d79858e9ae962d9

SHA512
32e4eee1356f3966a53f1d2eab883f47bcb55a15cab0c9cae6a21ea33eb2047de0731cd275efcd298865fae502dcb1a92f50ccfc08bed46742ee88aab1fbd33d

Download Submit
memory/1260-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2568-1613-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2568-1624-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2916-1614-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2916-3415-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7228-3200-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7228-3206-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7316-3848-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/7316-3418-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads