Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 10:59
Static task
static1
General
-
Target
JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe
-
Size
625KB
-
MD5
9bf9f662ed4e25acaf3f26b09774e77d
-
SHA1
eb45e4c04c07b7c7e2698bd9a9e3bacfdde9a11e
-
SHA256
922c58f5fbc890a5170e4829d645bf9bc578e1e91377bdb8a6f90d485d128898
-
SHA512
fda76d6939d40fdb262b49a5189406f1bcb9cae50ad3d4b034c765f136bd9cc2c7b71920719152b63b4d294f82211fdb9bd7b9279d1f14ddefdf45a5b62fd299
-
SSDEEP
12288:RVt+w8wyv/866WoJM4sr0fjHLwN++JbHjNifqo:Ht+w5yMDJ7sryrw4IHa
Malware Config
Signatures
-
Expiro family
-
Expiro payload 5 IoCs
resource yara_rule behavioral1/memory/4076-0-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4076-1-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4076-3-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4076-47-0x00000000004BC000-0x000000000054F000-memory.dmp family_expiro1 behavioral1/memory/4076-49-0x0000000000400000-0x000000000054F000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 8 IoCs
pid Process 1540 alg.exe 1416 DiagnosticsHub.StandardCollector.Service.exe 4520 fxssvc.exe 1620 elevation_service.exe 2136 elevation_service.exe 3084 maintenanceservice.exe 3844 msdtc.exe 1984 msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000 alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0" alg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: alg.exe File opened (read-only) \??\L: alg.exe File opened (read-only) \??\V: alg.exe File opened (read-only) \??\H: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\W: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\J: alg.exe File opened (read-only) \??\K: alg.exe File opened (read-only) \??\Z: alg.exe File opened (read-only) \??\V: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\Z: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\G: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\P: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\X: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\H: alg.exe File opened (read-only) \??\I: alg.exe File opened (read-only) \??\W: alg.exe File opened (read-only) \??\X: alg.exe File opened (read-only) \??\Y: alg.exe File opened (read-only) \??\G: alg.exe File opened (read-only) \??\L: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\S: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\Y: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\P: alg.exe File opened (read-only) \??\R: alg.exe File opened (read-only) \??\T: alg.exe File opened (read-only) \??\I: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\Q: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\N: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\R: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\T: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\M: alg.exe File opened (read-only) \??\O: alg.exe File opened (read-only) \??\Q: alg.exe File opened (read-only) \??\U: alg.exe File opened (read-only) \??\M: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\U: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\O: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\N: alg.exe File opened (read-only) \??\S: alg.exe File opened (read-only) \??\E: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\J: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened (read-only) \??\K: JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\Appvclient.exe alg.exe File opened for modification \??\c:\windows\system32\lsass.exe alg.exe File opened for modification \??\c:\windows\system32\wbengine.exe alg.exe File opened for modification \??\c:\windows\system32\snmptrap.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\peealqle.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\mbeciife.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\vssvc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\vds.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\gkppbmlm.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\SysWOW64\afjejhpf.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\diagsvcs\monenjde.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\mnggfnce.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\perceptionsimulation\dgldceqn.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\dllhost.exe alg.exe File created \??\c:\windows\system32\jimfbdof.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\spectrum.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\ilaajadk.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\iebhfigl.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\locator.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\searchindexer.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\SysWOW64\beodcdlg.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe alg.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe alg.exe File opened for modification \??\c:\windows\system32\vds.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe alg.exe File created \??\c:\windows\system32\icnioklf.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\svchost.exe alg.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe alg.exe File opened for modification \??\c:\windows\system32\spectrum.exe alg.exe File created \??\c:\windows\system32\ljfbkege.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\openssh\omkpieqh.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\nppbehmh.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\SysWOW64\ofkbmcnp.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe alg.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\windows\system32\wbem\hhbmaama.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\Appvclient.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\fxssvc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\cedpmnkl.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Google\Chrome\Application\elidehmc.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\afpbkmbd.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clmaedbq.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mnmjadqg.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\lhbjhkab.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Internet Explorer\kjkookie.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\7-Zip\7zG.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\jkgaipki.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\7-Zip\7z.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\hlepeenn.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\jfjkgccl.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\program files\google\chrome\Application\123.0.6312.123\idpebapl.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe alg.exe File created C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created \??\c:\program files\windows media player\cbhiddpb.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Java\jdk-1.8\bin\cobmhpje.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Java\jdk-1.8\bin\iilmmhmc.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\pijgofaf.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Java\jdk-1.8\bin\imamgieo.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\7-Zip\lncjookl.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\7-Zip\7zG.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\mgecidfd.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Java\jdk-1.8\bin\knkmmeba.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\miqfjfol.tmp JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe alg.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe alg.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe 1540 alg.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4076 JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe Token: SeAuditPrivilege 4520 fxssvc.exe Token: SeTakeOwnershipPrivilege 1540 alg.exe Token: SeSecurityPrivilege 1984 msiexec.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer alg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" alg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bf9f662ed4e25acaf3f26b09774e77d.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1540
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1268
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1620
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2136
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:3084
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3844
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD591b298911d9dd798c0abb7cdbb33e522
SHA169dcd26ac2dd7269d9b99a626562c9b9f2cd46ee
SHA2565f4a9bb635719708463f63db09e4258ffc3440c1ffe56043b33c2faec6513e2f
SHA512ae71e3ae66e18118898bee43fc3d3c98b54ffad363aeb4000a73ad93e2263ae7154fdd0542bc4300bf3893d217389ab04adcf04ec2c20659442b2217a780a60e
-
Filesize
621KB
MD5650622c8801965aac948b86fa1c58cf1
SHA1185a548035f6c288d5b3c26764f79c11440a5e12
SHA256f4333af3f841cdc81e4346ab6985dcc507b2230e6c2a7ee4975d9c2e1170c1e7
SHA5127ca51db7ba18cd13702b4763edbe20063d9599ad8c0302f5bc716a302411c169534fa7f4c984dbe957ea3843f07bfea8a2d96b3bf9c3f7118c0089deb3e3e23b
-
Filesize
940KB
MD5d954a2ff00e0e32d93ba132375151fe3
SHA16bb5aea6d250acecd6dd9f8cfc76cb5a3d814533
SHA256cbc3fb6251f25270f4fb122e5119cb1df39b704447f02713665344f1d4273684
SHA512a3f7de23728a4fefb765763e8cc7a8e99a1e5db0d62326712cf168c8426cace11790d4170a0db06c3efc6792e6e37551c7f7b23f16de1dab5549679ae9220f27
-
Filesize
1.3MB
MD549d85646cbd1aaefa6342b4d54820aa4
SHA1699f0797b4cc5819ab84cd78770bba81ee2ac583
SHA256c898611217c4d28aa7effe1e0b9ff1f141b034af162985fba5f31d2cff764e98
SHA512f6c6d73b0bbce99acf4805e07ffdd1f368962703cf7ad009fe813e2e31cb183a1c1083c20307398c5851901daf355f98ebdc9f1048902b9bc43843c973567f49
-
Filesize
1.1MB
MD587434f3879b02be4715dac92b2279687
SHA1ab8487142b16cea1009d13b81fc3226fcba11a88
SHA2569c29a40ed23786c08fefcfdecc27983c479b66294023fdd0d0a05d4cee9727ce
SHA512253e56ad741a328855a856305b70a0e8209f9798e89bde2904ff5fd930cc8088925d4adc5887731d9abf4ebec3f6d93468199403c20c5e7e76aa595f4bc4a83e
-
Filesize
410KB
MD5bc9439610eadb5e6e852a3fce4dc3cc5
SHA1d7ead4a46e39a39bb74313652d2360ec716367a9
SHA256dc4d43a9c06501b1526247e015e35481acffb3bbb6f80eb17be308987dbe9bca
SHA512ce81b87c5499ca7034a004e03fcdfc57fec6dbfb9669d699406a2e6d9941fa36708a7412280944961fbb03646abc0d97f4e79d3e57bf24a69374e5df603d4b66
-
Filesize
672KB
MD5b62de7cab2f19ec7bf6afa40734280ef
SHA1ee480df4d7448936e995f118c9b738f1482594aa
SHA256dc7e8932aa794734afe7e3a1d826b8b62cff2f88a3d01d8513103cc8b89cc633
SHA5121e3bb68504255b07b45b3b425c37513c0761e4d2bf77093a77ef40c2713d48ee7985a1b5085ac9b3028e19757575078138a21b8019c0203aa3cc234de63b18da
-
Filesize
4.5MB
MD592380031e94ce22ada751f20e60057de
SHA15720b16d1f6c2523332586ec416d2821d9a108aa
SHA2568fd26fe016af37c96e018040e5c4eccc153972ffef4f5019e256bba051b788d9
SHA5127f7860f83c3c63eb7fadb902f45ce278c5f890b35474d4d660e037013645cbe08368700a6f8120468d6d517bb0ac5578bb2cf2b338a208263fbc0594b9a0ca58
-
Filesize
738KB
MD5f177f284d4beacad7b0221d078d4f373
SHA154719d74494c56ddfd689afed49770467d013dc2
SHA2567429e36a72f248b7df3b79321216aac70411de2de79cf2985b15257c99764eac
SHA512a220490af8af4b9afc952d11f16d3b21ec04b0da69814ebea2b85681dde388676629eb0ded8e796995e2efe823f53bc80cb51aa5398bc74c13ec59060099bbc3
-
Filesize
23.8MB
MD5958c901aa9c165c15d691f0b77a560ec
SHA1a11ce5bc9dbd04a7e4533a898e45467c9c7b0628
SHA256daea22bcf9075ba6b2cc5d1432bb4d1f14e7607b53fcf0473a4320d34e57c62f
SHA5128fbe26657c80f079fae718eb307678a6d624970151af637fe59e9bf6e24c43b1c72ac3f9c99483bb3e59cb45ab7a8c873e53fb9e45513e7ffdf3f06cbc074cc6
-
Filesize
2.5MB
MD5833ad360f5b55ab7070a125b58fac719
SHA163005361b098eeee2ded05fa2b221d82865bd8fb
SHA2569af5ce4057b9775b0ce33ca3eb1eb8425cf5a7a3098abdfc8aa3bea3454bf297
SHA5121637c8b20d484bc0947946355cc11f60201702e5a7fc7a8e35666f1747022efc24ed59e0abff0cf8cc20f9aadf7c42e436245b60a486c7a5b1aa8880341264d5
-
Filesize
637KB
MD5f665752c631d3cfd135c4f59105b2670
SHA1e88aad202ebb014921ffd00402bc5354d99bb0c4
SHA25685a57f7704b0c765028fb041ba70fc8042ff0bc7f4331f4dea96b887efc343d0
SHA512997666d56fba0b4568a959ac8f930c1a48ede017c941f76e7066b3b0403bd08b86dfb37ecbca7ab5be238ad51a017d65f142eb0975425f453075bc2be38b7fc1
-
Filesize
2.0MB
MD5e945f0cf0ddaf63f52b0c0e39af67b51
SHA1d4c6a2e92386b45f744c209403347096f813fe71
SHA256f82a878b8d23e13eb793fcfdc2114799d762e7f44d508af701b384c81c396ea6
SHA5126ab69dd5cd87ae0ba90bfc3884b3a693ae98ec9fa19d97628435d5cae74ca2643e65a11f3cb9cc87e58df5680316788b111693f67d2bc74f3acc41b3b00ef93a
-
Filesize
625KB
MD58f0b65c4d8c4314ab1dc1d5294aba9c3
SHA1f127a4d61925de0b417872e98f099650f3cc4ae2
SHA256cb60c5410b0c3d44fe5ed314d1101f4cb11d82e4d4ec6fe5232a24decc5ed236
SHA51216f8a60f2ba2f6dbb2d38addca3e48f797b9eb608b0fe41eb9dbfa64fb3ff4b6d94a9414b84c750235f9c8c34838a2a0b6da8e611193d83e4faf491e5a69213d
-
Filesize
818KB
MD573ff76e85bf1515fee3fcd5f6b09a482
SHA19ae5984ae354cc8d2bc8b7b0e3ffcebacd0eac79
SHA256d846ba36c2e9a842e4bd15184a29d74f860542b631144aba2a604ac7e9ea9bb5
SHA512bb7e9caa4f883d24870ac02a870a66b3c2f890e0520a2e0b9e5479bf7c5c157e7e5b48fb7c6d7ddc9a204ee1104966740eb5c3fd96426a23b068353bc31a98f1
-
Filesize
487KB
MD512c318b7ef319e032a33bc93c3591b2c
SHA132ccaa6f536de50bb416de26bc6db6bf354b3f42
SHA25664efeb16a81565b43782ab127c5ce33bc630a8e4de8af5ad845640a947bacc66
SHA512851b15d7d1f3f4333d7dccfa98f8a7afa2e02757e7db0933e6117eb1389081c3db2ec899b5add87f79c8d829449f7fe0ec3d698c04729eaa223b92473f058741
-
Filesize
1.0MB
MD556836076a427832ecfbc5e85595cc5d8
SHA15e6205627a2a341712f22622bc338013381a2689
SHA25618c994c73f1f649a01f7fa030b8ad280fb3637f775bc799b3de547085b6fe1f5
SHA51214ddc16029168effeec083abce8a20898b25a0fb8b068e482de02340e3b65f53cd86dc98c6956eb54e55b54d57d9c9c31812324abc1070436237c41867fb4c38
-
Filesize
489KB
MD505e3c7560aa19b54522526b1acbf9bca
SHA184ef9940f60dd0e531306a8bac8eacfc3527249b
SHA256bf25d64c18d7b1f64562b71f56b165f010f576d9c1e847c565deb75bba17e555
SHA512399172cdd19d77378d65d2267e17dde23641b44a2d8f9b6a463f0cb4f9c499f5035bc6f88bfd264ec6bfeb5e3ea4371aaf0703812898238858b4f15b02131262
-
Filesize
540KB
MD544a506fc3a2a0b003ca9764d95a31a98
SHA1c7f51639a770892508284aa3459a5241a5271f6b
SHA256dee41d7a0bc8b84e600e9c217b45ea5e26fa75496923c60bffa8fda1a3f535cf
SHA51218ae31db236c71837e88e7122b6c6076ac98f7ed0b32fe0993a8d70e4738d410474a6f9d379b73fbbf3af3856d64655ebbf7813da401c11ced322ecaef87f06c
-
Filesize
463KB
MD51e9f77d4e01c8babe0200a5059fc3bf7
SHA1318e214376a112fd0bef4055a9edff66f13757f8
SHA2563962f8f60dcdcf113ce68166037671797f479a10d41db2ea1fa45eaab0a82ca5
SHA512775eecc55f06a04628fd0e09497d0b5454fa28f5da457b588e99af84f39b3728f59d19068e1134d52ce2f9ab752ee05f5c3cf4530e52364e2ae604cf4499a3f3
-
Filesize
1.1MB
MD55419af6ee9a72e910c7e11b86aa15e32
SHA18b9c9fe2c00ab4bdb844b11fb6a4b7dbe5a19783
SHA2565effb6c9a60ca84ebf3d85696641d2c1da948b57415c770033149a8f1f21ddaf
SHA512c39df34ae30ebb8a205c0512152cad0968f3c32517a36cc2fd9dcdc27f2cb1362a3a2cbc54e9f55efdcdebe0d099bada8375e5b91a02bad3cab33194f7830e49