Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 16:52
Static task
static1
General
-
Target
JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe
-
Size
625KB
-
MD5
298ff7e2b96f9c5d518d501a553e8679
-
SHA1
565046d5f237826687bd9c43877cd8a788bed2ee
-
SHA256
b026b10c79c8cc3ddd0cfbca316c091df9829e417666d46596d30b73773c3686
-
SHA512
6d6156dbe52788fc0fca2886db67a6ae40808db147e3ecf814bb98f26c3cbdab2c6b497aef556eefc343d6856e73add8677023b270ec0ab62de727c610b2caed
-
SSDEEP
12288:1Vt+w8wyv/N66WoJMFVX6mAa2ogAQg0prnAbiKusJ2:jt+w5y9DJUR6mAajgAQvpr0fJ
Malware Config
Signatures
-
Expiro family
-
Expiro payload 5 IoCs
resource yara_rule behavioral1/memory/1056-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1056-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1056-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1056-48-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/1056-56-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 8 IoCs
pid Process 3836 alg.exe 712 DiagnosticsHub.StandardCollector.Service.exe 4580 fxssvc.exe 1364 elevation_service.exe 4848 elevation_service.exe 452 maintenanceservice.exe 3520 msdtc.exe 4292 msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2045521122-590294423-3465680274-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2045521122-590294423-3465680274-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\O: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\Q: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\W: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\K: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\H: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\I: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\N: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\X: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\E: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\S: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\V: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\J: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\P: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\T: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\G: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\L: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\Z: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\E: alg.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\U: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\Y: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\R: JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\dllhost.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\spectrum.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\agmkibpd.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\fxssvc.exe alg.exe File created \??\c:\windows\system32\nnioimdp.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\filmnbpf.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\alg.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ipgkdolj.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File opened for modification \??\c:\windows\system32\vssvc.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\msiexec.exe alg.exe File opened for modification \??\c:\windows\system32\msdtc.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\mggidkhm.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\fxssvc.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\msiexec.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\perceptionsimulation\lnkejgpq.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\locator.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\openssh\cgagjbnd.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\ocegknkp.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\mpgeiicj.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\searchindexer.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\diagsvcs\kdicoepn.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\system32\wbem\ikfdcooo.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\snmptrap.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\windows\SysWOW64\hikkmipi.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File created \??\c:\windows\system32\lifinfmp.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\vds.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\system32\svchost.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\dakeokhg.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\7-Zip\jgpijieg.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Internet Explorer\dendjgfp.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\jfecangk.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\abpigjbp.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\program files\common files\microsoft shared\source engine\kjdghkfm.tmp alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\mngianin.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\EnableCopy.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\7-Zip\7zG.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\7-Zip\nccafaqk.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\ink\hhfjjgab.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\dddilmae.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File created C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created \??\c:\program files\windows media player\odiekaek.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\jipjcfed.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File created C:\Program Files\7-Zip\lncjookl.tmp JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe alg.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe 3836 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1056 JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe Token: SeAuditPrivilege 4580 fxssvc.exe Token: SeTakeOwnershipPrivilege 3836 alg.exe Token: SeSecurityPrivilege 4292 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_298ff7e2b96f9c5d518d501a553e8679.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3836
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1128
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1364
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4848
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:452
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3520
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD57bdcc3c54995c0c77343400368325faf
SHA113552c87b25574ee405ce8c168dd08eedd063e3b
SHA256347bf64b7f5a483e7583f0ea50f59da06f4a4173183f29667c837891f98ca318
SHA512911194db9c659768178351e6fcdfb2b75f61fcab94e70ef287c0dd20bdafd75e591c8fb8c8a4b9ba5efd578fdb2f09c7477c896788f207df15ea0291c8cddb1f
-
Filesize
621KB
MD56d4ea73f62568d1b4be855031924a478
SHA1b36eb0ad7af108d3d1f92bb944f5531585ef4e16
SHA256ef695eeaa5fd9586a51c562e7a0f56896604d283699cf7fb07249108194d2920
SHA5127554ba43122d93c73ff127a5dd840a09a0ae54e0a7ef4fedbdc7d9a31906830d4a560fcb697b55a1a6c2adc37f3682d67f524e786f75de6a9302f43777356e5d
-
Filesize
940KB
MD52176a2192e2f7f17f8aeaa7eaea9bbbd
SHA109af8f0a0659dfe067189e21b63059919c5fccbb
SHA256cddb623d0d803599743fbf506ef889fce12b3fc1fe42eeb59e28b43e0db68d28
SHA5126ad6aa5c773fe6adc952bd4d4beb3d9f9508fec7daef4c4cb4d225b5d885cfd14bfd8f9769a632fcd5dbced6c8298fda7200a57cde329b13e5738b0051fa3dd4
-
Filesize
1.3MB
MD57f0f3e48aae15a885dc2050282d0fa33
SHA1e1fa046d2b14328a2eec1fa162cd5c16099402c2
SHA25646a8f0ce94551904098e058a9810fd3a8ec350192e1eb42063b9a39e6934928b
SHA512353cd5142cdbe55509ae382a0225494bba300cf863d3af7dd59217280d47f4508cf120c48b33cf222e840c2150d682c874c8aa38f350491f0974a07a964b3b7d
-
Filesize
1.1MB
MD5394a4600abe630c8fb6892b705c62339
SHA18b9aa144afc3aad99f9cc4ed750d35c41a54721d
SHA256b736e6f6b9f110552bcdb57c0006153733609c316642e8488692df929cdda123
SHA512ec5577fd853680829d3f34fc16d5c5ff8efc9597e3d87c5fb25a023a487cc4755162269a6b321f43b57621187e676122d13f7ed1acbbd49dff3567f3b5f80998
-
Filesize
410KB
MD5faa1f637dc2b17f54235b5d8fa5d847e
SHA19a153411afab38d6e660cfcd0baf11b6e769beca
SHA256b857529253e5b97b4c31c3fd4baf425a9050b459d3557de7113572d1f4a52280
SHA51272901dbf771b1de715881443632cc4d6317ab251e8f70bfc9b09ed1c484e55f52a0a7ebba344b83b296c0fd710913c24aeb65066e3f9338fc0d3ab90b983e3dd
-
Filesize
672KB
MD5e128682303777c6310721e45073ccefa
SHA1b3de4b4493881a96574f0270a7e9ef0a8afcecd3
SHA256d6fd986567e70c46d89e69cb69e9e862796dcc89992cfcde61286a1b8306fc46
SHA512f17989b278f0d337e3c07507581016d8d36f7496ec7d3d0bb0d2bf344ae1aca27e45228479d360b5dfb7fb6cabffb79e1d140d7a42f0a08a87689749ca9da6bb
-
Filesize
4.5MB
MD5c2e6db0d8ad7b9d04340ce8f272be9e5
SHA1e66f8402e68de1fbe876b92497bbc8fce269ac8d
SHA256229c0d46d4baffcc1b3dbfef2a223f944fdaa643cdc88b8f3189623a52d3229a
SHA512bec0ca708b90fb28bdc1190f7786c40fd6f1e3370fb2d41b085dcc67caf8dc29201a79adc1137f2925cf0f77b7a21bba161fe07ef0abfcaf6d8bdf91e5222c72
-
Filesize
738KB
MD5a72531250b724702cf5e0fe1f4e41946
SHA10b6af47425dfca54982df1f9fece137766584bfc
SHA2563dc1d67cafb9632e5b17d294ebdf5063d9b794302143d5af60d989188884b55b
SHA512f9c16d6cf8aca5d3889aa588b635de6d9405edfcc572bc097b93abffbe1e385127da368f2be1e18fd8b64e8302146653aed19183fa73785039ae118327fea84b
-
Filesize
23.8MB
MD579dab9cf2af7ce0b191deddb33b3f394
SHA146226a63fc3d28796ebc61689b45fb8c6ccb6ea3
SHA2568ea3b206dc0c6fe95f7a15c84f68d8dd3a729a904522666ecaa7bc089056a3a7
SHA51245d676287c50d04e317c1cb0f263b4a30fd17c97b29c8b3d548a5566beffa1a1f6ef42d00c57467f33e777012ceb55f228d12ad503ff68614df5100107d10663
-
Filesize
2.5MB
MD58ec5d9f01dca7c7d5919cb4454e93269
SHA18f5c37b5762ecd8c7173d0ee3df4022eccc3bf27
SHA2560571fdff8be1f2303fa536d80ba2ea3d65f667c74f5bbc2a25f7825f58b3559f
SHA5127fc6f76a0b45c52c48cf4cce1c76a612c0119e09a40d1f871c3fc453549e0c45284bef6761ababa88c68691456d3abc79690a6057bd95926047cae616777dd45
-
Filesize
637KB
MD58299b66af3016d3e8ce4464671f28a35
SHA1c519fd0103f185583f1500e994575fc04526d518
SHA256bc4fef899105094bb0b26347fddefc4f99f3137c156bac2f9251f5a166e2e3c8
SHA512ff983c055499d51dd1a3e1c7a78ae45be32e69d0830d406d3a5f65725348eb50dd04d255c6ad30210b8f19b1d4fe94c307f92a5edfacb24addf12ce3cf86812c
-
Filesize
2.0MB
MD5f54ef1afb3923cb8b86a92c43364d6b4
SHA1cd4587ba72e89b78d1a2a2f0464d2d6931fc5952
SHA2563fc20e445f154d8acca00772fae6a7d2d53f15acd9e14abd63a5a957495603bc
SHA512417574ace7433ffa45731e0dd29edac2754db3f7b1044a316c56cd91c2465b116133f0338ff97448ff5e2220a9de0210c1b19d680779246748c3c910d6e98b2d
-
Filesize
625KB
MD553d897f69c5c4010b2619301faaa3ccf
SHA1fce849d2b73728591ae15c1a1e54891dd90c69e0
SHA25677ce417735fd0b08d5c454c6983da9a941fa5d160643622f02ebacda28dda481
SHA512395a594a43aafd3ca83100f455139c8e5a4086ddb2b14384877924c362cb2dd94864d9b3904adab5cc27fc881456e28da42b194d84193290b11c17b215b8b0ae
-
Filesize
818KB
MD5a6eb1c516af5cfb003b0c57d9ec32b78
SHA13b20c1dec1146399d15bde8ab9643223a9fd9044
SHA25617904b33cde365d8f768175e35e31916500f9f36fa895df315ccb214407d3de0
SHA512b417c015a4e57b1d581a7bf33f6001bbc5b60234063fb6706fa1892d91744dc5603c3586d5714bb338b715b333f3f7fe93feb3b9ae1dfa1e9b73e2afa3608637
-
Filesize
487KB
MD5440b763ea7da62e78676c4c0b9c272a0
SHA1a62fbd0ddbdc467d5051451081a77367ae650c31
SHA2568cadfcc930949298c7ec15040d89752070daa723f81c4555a6799327c6d4a3d3
SHA512146d40ea18b953b6a3c2c29415ceda3ae6e2408e4010c7eddab5d1ff5d6f43b72acd9fbb1b7183fe10906ed6e2599d57620bdbcda367fd4327c7ecb4b9c510d4
-
Filesize
1.0MB
MD5cc48cbeecf0f5f3b1b2eee466d54db63
SHA1f95cc3012ad91b377819826fc35355597227f25e
SHA2564c4585a510b1ab400fd68b4c0a28c776eab355660bc4d775e61dad08a02dcfc0
SHA512b32752f272b1b6d201b6174139c0780617039420db9e63cc75098ddbee555696abe321c572714bf3dd420d6b31713d1e0a45f9fd8d3900a41c58e72e77616dc4
-
Filesize
489KB
MD5302541feb7cc4305266d517336fee44e
SHA170dbab1e3a9b710db46e2baaee3960246251f344
SHA2561c4515c316f30193cbe8c7d1bc058237f9b9538194f2f56ad5a773154434ac21
SHA5124bcce64cec047e38a1a0445756a48c2cf79d5b1ca183bf0af90b9e250a88707fda32b33f2b5913c02e9727a0f541423ab4b6e1b5dc003e215cf66186d6d9b37e
-
Filesize
540KB
MD5ce400b6e3308866049a8ea64b6a5764b
SHA1ab540687befebc3432ef0052ffe5640765885af3
SHA256659170a5f0785f8513c26fdea13693705d186472568de8bc60b5289d300bc1e9
SHA512d4bb7d8a3e04b7ec3eb71a4ca89165e2d285ae95f7226d44a5fc023828f52c7770621120e66f74437172b34f7530522fd2727acff4de61742f7124b05f9f12b4
-
Filesize
463KB
MD513057db566f5efdb82a59c5d0e980342
SHA1f5cf80033509766a96ccd79748bda642bfb755b7
SHA256c85e8a72ad33605e7cea3028310bbcbba06f8d5050695374bfc80d6db913523a
SHA5126c511e2e1786107c75062f8f0e71404a59f4392675cedcb10e6b74923778014ecab55c7094e358871be1b9dbd9e7fb0cd67533302e7aa97001b30293c8e79867
-
Filesize
1.1MB
MD5fd8547f7846ca55f1dcfc46de3b7daf3
SHA1c7354b64cf25b2aba412875687d9075d80e09897
SHA256cf48564ff7ffcb5c660b447dc2d372a4d59eaf9905c20ff9305e899e2ef6f412
SHA512e801949dd7ba976d29eb781924cf1543129156de71379231e41628f97152e2e92324408817c456de6785221aab0a5d34593f972a19aeb62590fcf786832e2611