Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 14:37
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe
-
Size
381KB
-
MD5
7955ce3d796ca8a03a55d2edefd32f25
-
SHA1
5725494c18c0f3f32fcd5a5c01ad8a09e8ee7831
-
SHA256
aac971e1ff6dcb52dac8ee0749261f8995ebe3c870511e9f3ea291882d6e41b0
-
SHA512
6e5141863878e855b40c6c95ae6658ef8f6bad01a3f1b127675e6d6d7c3fcf2a2f7d85425388594ff4e80d67e5a7c5d2d78fd630914cba291860c74156b34c08
-
SSDEEP
6144:P9mIRKIXJMFy/x3gC/j4fGyUFvyuja3Xcbp/jXv7TYJwKumRCBF1CgVAtEPm2/2:715oy/e4j4fGcum3Xct/DYJwKuNLQgVS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" mstwain32.exe -
ModiLoader Second Stage 21 IoCs
resource yara_rule behavioral2/memory/3440-25-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3440-26-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3440-29-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3440-30-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3440-31-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/3440-44-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-68-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-71-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-75-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-76-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-77-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-78-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-79-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-80-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-81-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-82-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-83-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-84-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-85-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-86-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/4424-87-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
Executes dropped EXE 3 IoCs
pid Process 1460 mstwain32.exe 4404 mstwain32.exe 4424 mstwain32.exe -
Loads dropped DLL 1 IoCs
pid Process 4424 mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" mstwain32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File created C:\Windows\SysWOW64\mstwain32.exe mstwain32.exe File opened for modification C:\Windows\SysWOW64\mstwain32.exe mstwain32.exe File created C:\Windows\SysWOW64\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 736 set thread context of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 2800 set thread context of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 1460 set thread context of 4404 1460 mstwain32.exe 99 PID 4404 set thread context of 4424 4404 mstwain32.exe 103 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\mstwain32.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File opened for modification C:\Windows\mstwain32.exe JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe File opened for modification C:\Windows\mstwain32.exe mstwain32.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mstwain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: 33 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Token: SeIncBasePriorityPrivilege 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 4404 mstwain32.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 736 wrote to memory of 2800 736 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 85 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 2800 wrote to memory of 3440 2800 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 87 PID 3440 wrote to memory of 1460 3440 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 94 PID 3440 wrote to memory of 1460 3440 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 94 PID 3440 wrote to memory of 1460 3440 JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe 94 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 1460 wrote to memory of 4404 1460 mstwain32.exe 99 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 PID 4404 wrote to memory of 4424 4404 mstwain32.exe 103 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe2⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe3⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe \melt "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7955ce3d796ca8a03a55d2edefd32f25.exe"5⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4404 -
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe6⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:4424
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3668
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5e1e9b883d882c26bedebff0b430d9f47
SHA1cbc191c74ffce6f7f760ca4fded786c886308b43
SHA256f02b12cd7da6b1b6a7561874254f8d98ba524198e8cf476470c2be2530e1d5e1
SHA512879db2256cbbf4abc4d8371c61c404bee9fdfc9688ab5ad349f2adcf1f821bd73ad7d5e08946496c3ae20663e5d77d4bcbb093440f99b8b2a176c891b326c457
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD54b39e38940f4735ea88723bf1099d620
SHA1b079766ab443715df773f1dc49d6371bd32318f7
SHA25614c93fc5256552908909510e4ea72e854df30fe14228f4afa801084050d1ab7f
SHA512b699b3df02c23520448901d28e5099818c335ed2f5b32f8b6991d18edfc70936d24d18129376fdc8277ed7c2942b7eb1249873fbfcefbb5bc08583fd45a1726f
-
Filesize
167B
MD50104c301c5e02bd6148b8703d19b3a73
SHA17436e0b4b1f8c222c38069890b75fa2baf9ca620
SHA256446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f
SHA51284427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf
-
Filesize
381KB
MD57955ce3d796ca8a03a55d2edefd32f25
SHA15725494c18c0f3f32fcd5a5c01ad8a09e8ee7831
SHA256aac971e1ff6dcb52dac8ee0749261f8995ebe3c870511e9f3ea291882d6e41b0
SHA5126e5141863878e855b40c6c95ae6658ef8f6bad01a3f1b127675e6d6d7c3fcf2a2f7d85425388594ff4e80d67e5a7c5d2d78fd630914cba291860c74156b34c08
-
Filesize
40KB
MD53f689ab34ba20ffbc647f3c4ce7c9c92
SHA10275be6c5d43a4916f4b6b2b4aa06398e193206f
SHA256003eb1ba56dc99c6a6d4e8f35233edcee64aa8001ac5f7289369cae2325ff019
SHA5125336b3d410c21746a81a67c1b0da791d5592d4dc42fe559bc9b12a89b6bc6aef04b385a1566e55a7599c2489741ee7b0953f9cb0b3b5b9a9feb006678e2bdbce