Analysis
-
max time kernel
24s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-01-2025 20:36
Behavioral task
behavioral1
Sample
JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
General
-
Target
JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe
-
Size
248KB
-
MD5
681f449dea67730957adbce0bd8913f7
-
SHA1
80706299971fda0750f6d294bd9b6f9977868fd2
-
SHA256
6252dccdb307ff206e294f6c1cfbef8307823d22ce1c9ab2dbd41634ab7cfac2
-
SHA512
4e838341aa7c9e9b072ac527c0e29e4df2716bf195daf5bb7076230f007bb0b9b6b68ab8d8ce15af6b7fe08780a385d12626dad4828cdbcceffe3d6c1b1c177d
-
SSDEEP
6144:k9XzVel6f1qmTQKuIvxMCQOlcW7yaX+7oJVXJp70dR:WzW6f1qiBuIJAOlcW7yS7JpwdR
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral2/files/0x0006000000020228-465.dat family_neshta behavioral2/memory/852-652-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/5032-653-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4372 netsh.exe 2204 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msedge.exe -
Executes dropped EXE 4 IoCs
pid Process 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 3692 msedge.exe 852 svchost.com 3852 msedge.exe -
Loads dropped DLL 64 IoCs
pid Process 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
resource yara_rule behavioral2/memory/1368-19-0x0000000002470000-0x00000000034A3000-memory.dmp upx behavioral2/memory/1368-15-0x0000000002470000-0x00000000034A3000-memory.dmp upx behavioral2/memory/1368-22-0x0000000002470000-0x00000000034A3000-memory.dmp upx behavioral2/memory/1368-460-0x0000000002470000-0x00000000034A3000-memory.dmp upx behavioral2/memory/1368-461-0x0000000002470000-0x00000000034A3000-memory.dmp upx behavioral2/memory/5032-656-0x0000000003E70000-0x0000000004EA3000-memory.dmp upx behavioral2/memory/5032-654-0x0000000003E70000-0x0000000004EA3000-memory.dmp upx behavioral2/memory/5032-668-0x0000000003E70000-0x0000000004EA3000-memory.dmp upx behavioral2/memory/5032-669-0x0000000003E70000-0x0000000004EA3000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe msedge.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe msedge.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe msedge.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe msedge.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe msedge.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe msedge.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe msedge.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe msedge.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe msedge.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe msedge.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe msedge.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe File opened for modification C:\Windows\svchost.com msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msedge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Token: SeDebugPrivilege 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5032 wrote to memory of 1368 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 83 PID 5032 wrote to memory of 1368 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 83 PID 5032 wrote to memory of 1368 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 83 PID 1368 wrote to memory of 2204 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 84 PID 1368 wrote to memory of 2204 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 84 PID 1368 wrote to memory of 2204 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 84 PID 1368 wrote to memory of 808 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 9 PID 1368 wrote to memory of 804 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 10 PID 1368 wrote to memory of 388 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 13 PID 1368 wrote to memory of 3000 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 50 PID 1368 wrote to memory of 3064 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 51 PID 1368 wrote to memory of 3144 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 53 PID 1368 wrote to memory of 3484 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 56 PID 1368 wrote to memory of 3584 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 57 PID 1368 wrote to memory of 3768 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 58 PID 1368 wrote to memory of 3860 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 59 PID 1368 wrote to memory of 3920 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 60 PID 1368 wrote to memory of 3992 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 61 PID 1368 wrote to memory of 3720 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 62 PID 1368 wrote to memory of 2252 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 75 PID 1368 wrote to memory of 2052 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 76 PID 1368 wrote to memory of 5032 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 82 PID 1368 wrote to memory of 5032 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 82 PID 1368 wrote to memory of 2204 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 84 PID 1368 wrote to memory of 2204 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 84 PID 1368 wrote to memory of 2908 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 85 PID 1368 wrote to memory of 3692 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 86 PID 1368 wrote to memory of 3692 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 86 PID 1368 wrote to memory of 3692 1368 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 86 PID 3692 wrote to memory of 852 3692 msedge.exe 87 PID 3692 wrote to memory of 852 3692 msedge.exe 87 PID 3692 wrote to memory of 852 3692 msedge.exe 87 PID 5032 wrote to memory of 4372 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 89 PID 5032 wrote to memory of 4372 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 89 PID 5032 wrote to memory of 4372 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 89 PID 5032 wrote to memory of 808 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 9 PID 5032 wrote to memory of 804 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 10 PID 5032 wrote to memory of 388 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 13 PID 5032 wrote to memory of 3000 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 50 PID 5032 wrote to memory of 3064 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 51 PID 5032 wrote to memory of 3144 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 53 PID 5032 wrote to memory of 3484 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 56 PID 5032 wrote to memory of 3584 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 57 PID 5032 wrote to memory of 3768 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 58 PID 5032 wrote to memory of 3860 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 59 PID 5032 wrote to memory of 3920 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 60 PID 5032 wrote to memory of 3992 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 61 PID 5032 wrote to memory of 3720 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 62 PID 5032 wrote to memory of 2252 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 75 PID 5032 wrote to memory of 2052 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 76 PID 5032 wrote to memory of 3692 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 86 PID 5032 wrote to memory of 3692 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 86 PID 5032 wrote to memory of 4372 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 89 PID 5032 wrote to memory of 4372 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 89 PID 5032 wrote to memory of 808 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 9 PID 5032 wrote to memory of 804 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 10 PID 5032 wrote to memory of 388 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 13 PID 5032 wrote to memory of 3000 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 50 PID 5032 wrote to memory of 3064 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 51 PID 5032 wrote to memory of 3144 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 53 PID 5032 wrote to memory of 3484 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 56 PID 5032 wrote to memory of 3584 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 57 PID 5032 wrote to memory of 3768 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 58 PID 5032 wrote to memory of 3860 5032 JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3064
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_681f449dea67730957adbce0bd8913f7.exe"3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1368 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2908
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bigfishgames.com/help/index.html?rn=1684⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument http://www.bigfishgames.com/help/index.html?rn=1685⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:852 -
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exeC:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument http://www.bigfishgames.com/help/index.html?rn=1686⤵
- Executes dropped EXE
PID:3852
-
-
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4372
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3860
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3720
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2252
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
208KB
MD54d3af722e63f94f196ee27216039c921
SHA1f331c177f2eae0239736b5dcbf83bdd21be1673f
SHA256363ad4c8387f10365ed59ec32ae030d61f4976eb0c5f0721da0f8c0fd8107b22
SHA512ad6b5f1d62f3bc8e5f77d228c708e65cd8a445cc5930ee2de4f243d572fd0fdb1e37c30edb39f827ffbc5004f67bdd2d6485c2c1c5139c1667bd6770434d7920
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
17KB
MD507805faef6474af0725b2140734791a7
SHA1cff3ca563393f79dbc6feb7dc81e30595552e710
SHA2562a5a788d606bd94a6f34f08060a69bd0b49656149556afa20bf9165c8eb67d66
SHA5120b098a989923f0749027cf317b0e5d34f6d2f469bbc2995847eb9b4180d3148e5bfddafab0e568f61fd457ccd4e6d5736721c9717463bd9b9e0d6c99e570d2e1
-
Filesize
9KB
MD529948eac267f1f3a618adccffac4a6da
SHA1501a6ed0d063bea025e292d87ebc8a2ad6909639
SHA25653da28f1a771ede7149d58b9fb8bc42184494202065f68dd2a19e7800f084999
SHA5127cf19408eb0f2be7423c6e199c1bbd016cc1b469a4f4d53aeeb63afdf0d3b5f50310c034ad7b5da58b1e8a34a90ccbfe912ac08f13fcce3df98e085820f600c2
-
Filesize
4KB
MD515bfdf6af53021cc43d20d4cb32c487c
SHA1efd9ec82c81a886f0b04222961c26f6822051d95
SHA2568a846161651a5363d5e19a97b8677bff832751c1eecebe888528e303136d4706
SHA512212d7dd912e47800b59aeb3eec7cfd3616c09aae2c03b583c7c075f6a880e8570c2ce50419ae0f42aaa3500ef7135be49c29862f7190160136e68cc93cf762e7
-
Filesize
23KB
MD5bf1ccc7f5c46e024e800f6c1e9df8206
SHA1103d8ea4ea18e467fd070b325d2be5aacc800e60
SHA256c554c58c011bf0d902f0a74e783333f300f60f1c46fd74f1572f775bb89c7f6d
SHA512e88de83b9e836cfea1a10412e16a59e59778b2d3b773cb92cf0b816f423e1807aa63656228372fa16a8d66f4364a9cc34cb17bb09b510428cf42acdb2454bbb5
-
Filesize
84KB
MD5fae3be7a9827eaa3ef9f43832805e110
SHA10888a3ed318f17bf39e3c9af5848c965551b31a5
SHA25665aac0490feb6cb70ef76b39d3f08f61172dfce998fecf56a25c3f10d5c754a7
SHA51239d0496614a390c2e97636bd1d252c3cba8c0c28a7245f631cc7b7195bfe224cb176c97adbb92824df8db5e5340d5255171eabcac0da548385fed0d81578c6c2
-
Filesize
16KB
MD54e1c46e37af4b3ab0036cb1e85c81608
SHA18424a551d819cdae44d95a80af24a502d7e25ac1
SHA256468d24e632789e5d2e740bf7b084d72e4e3784ebc19d77dfe4b3d866bec8d789
SHA5129a2e140238bc6e4492cfcd022930b4facb3ca61d498febce949b36b526ef5ab434d94d0811bf958f572d1cf141b4411fa7950551244926a93d69b68d8fd33df6