Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/01/2025, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
-
Size
2.2MB
-
MD5
c7b6e5fcb3c51c4cbd9058d90d088bf6
-
SHA1
b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8
-
SHA256
4bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707
-
SHA512
8f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e
-
SSDEEP
49152:e1UsIvTfS+rb9188MVfdzM3oNMLoZ6M4ejnXxrkHxLI5:BtvTfSu9xofd/Ns58Jt5
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Blocks application from running via registry modification 18 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\host_new JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File created C:\Windows\system32\drivers\etc\host_new JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File created C:\Windows\System32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened for modification C:\Windows\system32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened for modification C:\Windows\System32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscan.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdreinit.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv32.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TPSrv.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec16.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDInProcPatch.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Loads dropped DLL 4 IoCs
pid Process 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\ce52f\\PS789.exe\" /s /d" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\ce52f\\PS789.exe\" /s " JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\O: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\R: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\X: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\T: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Y: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Z: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\G: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\H: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\J: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\N: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Q: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\I: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\K: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\U: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\W: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\E: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\L: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\P: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\S: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\V: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2916 set thread context of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 -
resource yara_rule behavioral1/memory/2380-3-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-6-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-8-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-7-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-252-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-253-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-258-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-251-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-250-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-248-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-249-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-266-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-267-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-268-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-304-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-325-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-384-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-330-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-327-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-403-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-402-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-394-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-393-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-392-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-387-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-385-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-380-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-444-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-446-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-445-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-449-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-448-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-452-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-450-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-456-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-455-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-459-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-460-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-463-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-464-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-465-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-647-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-649-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-648-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-650-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-655-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-681-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-679-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-680-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-684-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-685-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-687-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-690-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-689-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-695-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-696-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral1/memory/2380-711-0x0000000013140000-0x000000001372D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mofcomp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IIL = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=293&q={searchTerms}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltHI = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\ltTST = "44689" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Modifies registry class 16 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=293&q={searchTerms}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\ = "Implements DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 1968 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2916 wrote to memory of 2380 2916 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 30 PID 2380 wrote to memory of 1968 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 32 PID 2380 wrote to memory of 1968 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 32 PID 2380 wrote to memory of 1968 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 32 PID 2380 wrote to memory of 1968 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 32 PID 2380 wrote to memory of 2404 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 33 PID 2380 wrote to memory of 2404 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 33 PID 2380 wrote to memory of 2404 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 33 PID 2380 wrote to memory of 2404 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 33 PID 2380 wrote to memory of 1576 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 36 PID 2380 wrote to memory of 1576 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 36 PID 2380 wrote to memory of 1576 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 36 PID 2380 wrote to memory of 1576 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 36 PID 2380 wrote to memory of 2016 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 38 PID 2380 wrote to memory of 2016 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 38 PID 2380 wrote to memory of 2016 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 38 PID 2380 wrote to memory of 2016 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 38 PID 2380 wrote to memory of 2240 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 41 PID 2380 wrote to memory of 2240 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 41 PID 2380 wrote to memory of 2240 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 41 PID 2380 wrote to memory of 2240 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 41 PID 2380 wrote to memory of 2956 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 43 PID 2380 wrote to memory of 2956 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 43 PID 2380 wrote to memory of 2956 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 43 PID 2380 wrote to memory of 2956 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 43 PID 2380 wrote to memory of 780 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 45 PID 2380 wrote to memory of 780 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 45 PID 2380 wrote to memory of 780 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 45 PID 2380 wrote to memory of 780 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 45 PID 2380 wrote to memory of 1288 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 47 PID 2380 wrote to memory of 1288 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 47 PID 2380 wrote to memory of 1288 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 47 PID 2380 wrote to memory of 1288 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 47 PID 2380 wrote to memory of 1304 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 50 PID 2380 wrote to memory of 1304 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 50 PID 2380 wrote to memory of 1304 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 50 PID 2380 wrote to memory of 1304 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 50 PID 2380 wrote to memory of 1332 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 52 PID 2380 wrote to memory of 1332 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 52 PID 2380 wrote to memory of 1332 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 52 PID 2380 wrote to memory of 1332 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 52 PID 2380 wrote to memory of 1256 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 54 PID 2380 wrote to memory of 1256 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 54 PID 2380 wrote to memory of 1256 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 54 PID 2380 wrote to memory of 1256 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 54 PID 2380 wrote to memory of 680 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 56 PID 2380 wrote to memory of 680 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 56 PID 2380 wrote to memory of 680 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 56 PID 2380 wrote to memory of 680 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 56 PID 2380 wrote to memory of 2356 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 58 PID 2380 wrote to memory of 2356 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 58 PID 2380 wrote to memory of 2356 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 58 PID 2380 wrote to memory of 2356 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 58 PID 2380 wrote to memory of 3024 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 60 PID 2380 wrote to memory of 3024 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 60 PID 2380 wrote to memory of 3024 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 60 PID 2380 wrote to memory of 3024 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 60 PID 2380 wrote to memory of 1676 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 62 PID 2380 wrote to memory of 1676 2380 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 62 -
System policy modification 1 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"2⤵
- UAC bypass
- Enumerates VirtualBox registry keys
- Blocks application from running via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\48.mof"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "PC Security Guardian" ENABLE3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2404
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:2016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:2240
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:2956
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:780
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1288
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:1304
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:680
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:3024
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1676
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:2120
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:2824
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:1648
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
385B
MD5b602a827e71f24baf9b7fc4cdc222941
SHA1e8211cb8b2373d386a82a0f124591ff559b9c5c0
SHA25646dcedf595fef818d42b6a79d614c9f9c8ccc36631ab8373e044c9736dd722ab
SHA5127992ade055422c110abb7d9f4f1ed6ceb441e87201a02e884c93a86e0be09b4dddf93a81dea3b604e39269da2d688038ad8c1dac314135597e3eb45e1d3d1a1e
-
Filesize
915B
MD54634f2068cb57f6368fcb28e86a7c3df
SHA172e1794d42c52c35e9f1d7fe9d93bc911b7885d0
SHA2569d8271769e691dc05fcb977afae06937e22df32844cc3a9fd9a82884d9e25eba
SHA51233a5e194b1caa225e9f3b11f753f60aff652adcbaee0c48469ce1cdbe5fc7ab8c1172466389fb55bfbd3493610bbdc71f4c6fe12031c4f5e1b67a287815e9fbe
-
Filesize
1KB
MD595c565c467de9d124b5b5c503aa451bc
SHA1d0812d32be0a8458d5bdf736314c2ba99bbecf03
SHA256f393ef6f15d2effaae903ec9c500908049826899c0fbd23b5c484560ec6839a6
SHA51203cc5d88f33af6dc93ceb4c0f4ee367e2684d117d660e547cdf304b9c8df674c7327ac5753b096a3a5cf541f409462bfec53066257aeaf3974199874bf9687dd
-
Filesize
2KB
MD56d78992148d41cb376be77dfe1855bc8
SHA134746d617bd9ab2663f6ef30cfbe830aaff8230e
SHA2564c27ab98a692e29f36867704e1f50ac9a7709ef3db0e79e4c967733430b45520
SHA512ca24dcf97e68b5d25ea64ea034b47319803e24aa1934fe93918e33f5ea231e54826da50a287f48b930233f2a3eba490feb1afe2f61a322f62b3657727d253a48
-
Filesize
2KB
MD5419729eba1c0f8b4f0e5e813a0166ad6
SHA12fb48db108559b0a06a0a73e674d5fba8a06bc4f
SHA2560cda2ad28f573c06ee557cf8d61577123f01123825ad9ea28a1ff32a6f7fcade
SHA512d16a8e3091d09156233b202f3ae7cff1d1822da6f4d3209f8880df06c6fe6b7bcc3ef814b69e31a137d885c46712b88dfdbd2ccf836f01c3a0fe558a923dfe77
-
Filesize
2KB
MD5c5bd9ef28695a1508e024504dcc8e91f
SHA105e8d52330ae87218d73e3a32218b248e77fa644
SHA25664ea0bda3155a0cd4208e640643e7f9f9a0c40cf475abc69039a001cb623b446
SHA51247dc357011695f816b715c7682fca133211d8d85c761bd3e30f7cb7e1a7fd7d3c10962ab51cd6c642a10c608d759fb974ad4dd6cf3b2436569d72b6f728c24e6
-
Filesize
3KB
MD51c6acc540269dede1d9decae02a80157
SHA1212fe4c049b1e76238d2a5f0826c13b53168e9ac
SHA256a56084c81b08e08dec1fa566e7d9fa3ddabe2eca7f020bb64bbcb6ecae049900
SHA5129da9259b63b3e0a45f4f8ff78ec33fbe40c28ee25a46051f6072650818feae23e04e043ad814284e7c1772977227746329b625c43dc377094ac4a2bfda9e48ae
-
Filesize
4KB
MD51ca4d487e1bd66744a827427640d2439
SHA1667ea3c4994e98073dafc7fdbc83faaaeac58dbe
SHA256bfaff00befb75e45273537030f7478bea9f7f5765e507a6f46698c8232947e46
SHA5126b01ae02bf8fa760132de0176d51f8dc1609b3fb991b58c9578495ee84b8b7f83e645582a5f8bcd500974dce33c8a6f35f06c1ae20dcf5684d896820eeea9e1f
-
Filesize
5KB
MD5233451a98293d1cb660d49b47b285882
SHA1caeab2e84c64cbf42b09ef8f5314b6b3d18c2859
SHA2564232ac3109a472dea5bf1147821c60ac24f2c6653e51bacf75f6d93149d145e0
SHA51233759e62b4b2cd2aab5b20972faa9af8943a353c6bfaaf028739ad9733aeb40fe35ec1983f4a39840d9ee99483b561bc023a158d8e116282cdb1b1b07c1aeb22
-
Filesize
7KB
MD58bbfef4f65e79de6afe46136a4f4e9a0
SHA132d8437da08d3265be109c4f1539db89ff01f476
SHA25601bcb4d04906b9bf2d1b5f768e71d0c5de1919ae018e8f87bcbd35771594fd6c
SHA51216dd3568d4e75df162262efa90425baef53637dfb7ded7a9e2d004df4e26da2c3ce6c74d52b3ce3c789d54836fa3ec26e015ceaa1d1d7073501934d00602d353
-
Filesize
7KB
MD58f0d728b3eaa56fda567a4bbf0cc903e
SHA178957805392ba95a4a2f0575b4e394b08c00f693
SHA256d903801ba75b2955639821c614c587fa228898d8c79a172349e353f5ef676910
SHA512d7205655d3da7a89fa1211156febc3ad3ef4779b7aa6096ddc4e4c61f8dc9c46966e7b80e85974c2d3e79b5a3b9c43cf42a843dc1bed8e53c373a03536f5e904
-
Filesize
8KB
MD5e2309584bdfb615c908fc8d94c36b21d
SHA1f7accd8696ff59637bc3f818b66b445bacec7524
SHA2564a5776ab49ea48d809f177fe214478ed19b2f4cda53da6ee7ca19fcd081270fe
SHA5120bbcacb880f4fa7c8c0351669cef44d1aab85eff4dc64adc2297ea72928960629fcd0dd62172f6f186a0f7bfe682ea909464e8f8dfeae84871b53ab5573764da
-
Filesize
8KB
MD5797aad6192d3bfc78eb69f382c8571ac
SHA175ac31b3cf580fbe87a8980cd26c38915d29c842
SHA256bd96e5d231f092730af66931679f4a7a1793447624aec98800aabafd695605de
SHA512a83f6a16617719feee3545611fec12ac129341ba76a54948f6784e63eac4c4034fd844b39e7dee9fb05885723bc9b37a29bb40e7220767bcac6f0bb9b309677d
-
Filesize
9KB
MD50aef2879103d20ad260b4b125f80517f
SHA1e5d2f2e275c4d9c2e5eef2d79935a20baa9edf2a
SHA256b900c54c990674ba4362f923d419425d5b975f440e5f8c6340bb43c6ce4fb401
SHA512d5a25058057105e7cf786f325fbb3180b966798fcb018819893cd2ee67c4d9dfebc3e2a04df2b4106f546e748e127fd10c23579caaaba31f40e6f4aede2ceccf
-
Filesize
10KB
MD564dd4ad72e0c2fa736fd8525227221b7
SHA193a5001e880b78b6e87e3b377ff280f4e13ed628
SHA256c487d617c6a5bf23f47e01b77157df65899f617d40e2e25e630d132efab9aa58
SHA5123ab97cd4fd69ea20d43ffc19168c29aa591f3945a6bba0d083c32bb8f05fe34000ebc3c74fe2264c9e671b89322e03356b663c61355ffde553a368971d9abae2
-
Filesize
10KB
MD5a616e893789caabe99b5232fe13c7a6a
SHA14a822faa66fe9bcc582d785b9f7851a505da3d6d
SHA256fcc3c3d0ea4ebeb668b25f7309925af814cc59351bf359b7bb812e6eaa5295ca
SHA5129bc2fae02332fabc386631c11858a1b0e617a3bab05c2a397e1cf17dadfc8d2816b28461dc7a03fe223fda0a97705276e4b2ef82a27f432edb84502e6ad94923
-
Filesize
11KB
MD5f92587aadf99811d6f18b8a210a437a1
SHA17ff528824500864e87081fc17ff184ad22e6b612
SHA256679678e71ecea3abd46f8796a31ac42a6a336c9a7bc056c53b49152a685765f1
SHA5120685065f3c702baad56cac6526d644063b68a4c7fa9cea4da1b28ec3e5cf00d7e497eab9a0683deb42716e0455c3779e72de0ef79efb807dff6b8af299eee471
-
Filesize
11KB
MD50935f4984fa314ecfb491f1c30ae89a2
SHA17df0f8800175e8ac9dc3e81a51708859c9686ec7
SHA2562e3c661b9dd14690fe284404cb64325a5032bac6f630f5cf0ba36293c8c4e5bf
SHA512a9bb4790fc29c05305ac12141637092df2b2fe24dc8ad5a7f5c137c75c27b5f85fe79d77e42b1984467b3dceff64607a0de33021365eb01bd092d2f072411541
-
Filesize
12KB
MD52110882880b34ba1834ca445cb6348ae
SHA13f0bff32ef3293a7566b101e71d3bc32bdb7afef
SHA25691e01b85e6908313027245dc8b8ceb8102115dcefc1ee0bf1e4ef9ebc343ab1f
SHA51277c5a68c742e8bc39762aaf1c74cc2f39d31f1deb6e72a870d38e81e8b0c428b13f4ed61da698374002e2d5ba4622adbc5e26eddab9b45848de8a4e3e9cce064
-
Filesize
13KB
MD5164bcb0c66cb74e072a5d648434056ab
SHA181b01f7ff9142c80e53c0b1345e191a4efde5f1d
SHA2568715785a657ffd165e7ef151fdab4c12d3c43fa20e3f387f1ec5e21b329ddfe6
SHA5122fece9eb3096c20bb969d6041be756390c1dfa89acec450c44acd916eae464d85ecab2a67897c60cf329def429fd539418121028ccc54e45b4418acc98c4e56d
-
Filesize
14KB
MD56aea73316a23bb6b2d50bcf686fe2574
SHA154997075bbb5403bbe98837fca6ca7b05ff798b7
SHA256cd5bf6a337126902656ced6e5f90e677ca9cb531ffd022fde7ef708182c9e066
SHA512500849363175e0423ab0a07ae8107b168f4818655bc0af7c485cc49e55d7ba6ef486a28d8b138c1fec4d83c947d3c01527ed495ac02eb18d84d557c6f4ad38c5
-
Filesize
16KB
MD58f3ef2c5460834a13b05ed7460bc5d8d
SHA1c8fd458d9f3b4aea552376bf942f2dfd312b62b7
SHA256a8349f7ea9e02020ea168507dce1af35cdcebfba03096d3dbc6c4aa6c367a5b5
SHA512c44330b7859a48d0e38e7e0df5720b02cfc489971b2b10d0abc87cfbe0f959b58fd233c11cc3b6932298441b00f0f499beb89755b5fa4aa995b844427b4f442e
-
Filesize
16KB
MD590f4c7ede12249ef61f2282f17b90821
SHA12c26865b2a247612bd7997ea4703e1e2430b10a9
SHA25689e21d29e19ab31092011dbb99c69aee09e957731ee10e340732a09bac5bd99d
SHA51277d3bcc19a780d92577be08237e09e819fbf8cb0f0b183af6f77a1d6aa6b24d650a904a5d0be9d71d574b6455ff7495df8f3e43d995550dd14ffb44fbafaa2c2
-
Filesize
16KB
MD5c4192082b707e83c1611e477ef3f6965
SHA1c290fe1ab135fb1c8a780a59b3b923bc6174dc4b
SHA2562397a3ec21968d42d1c7e1f1fda2534f9fd00ba896b78e0fb2187e6601c0a10d
SHA5126bc5ecdd75ab037147a7b3eacf38d58acb7c1f2cfd14dc26f2fe013464016c35761aab1c57b8be5337f6d36924f3ca0d585c76a55ba3f8f1acb9340e0218188e
-
Filesize
16KB
MD59cb21e3a5c736916e9ca33a154004d6e
SHA1988cfd2c03dac04af5d7002ec08b4647ccb3afd3
SHA2568788b8063f02bd43ecf149526d17add1f0ef44142d35827a81485c6223aeb8b1
SHA51211b5bbaf0788125e47ffae1f973b0907c205cc53939f0cad3059d3fa7178485ee9f23a75d5ac8db46203956c0ecf30174d147f37425da525112ca219afc31bbd
-
Filesize
16KB
MD5cafb2febcb6b2f664a8ae33617366dfd
SHA1718dcd3b1ce0a8005b59372307b8e27e7d215a7e
SHA256f72c0e85e97537a0b802c083e95ec5b2eabb36db63a00effb8185519b0ae4720
SHA5129a959e4b8666d51d0ef94e8545c93e1d3af2bf1d7057923a3a4be437cca1775ecb54391f13a65cc6c871edfee5d04e8bc825ceee20f8dbadc47895b9f7cd8859
-
Filesize
338B
MD5f1105ae1645a228e4054effbed8c2901
SHA15a7940e396bcbcb7e8f3275e880811c3b10d1edf
SHA2567e46f4279ddc4d534d8825da38d1fd6f8d9cce2f13c4768d3f28a7fe2f0c3e2b
SHA5120e4f1fbd1e1da4c518aa26268d002fa837e31fdd95070a4081b971c24a86c56b0a5b1cf5b420a05fdbc1d60f78a19abde2bff9f4c30c44cbaedc8439756f4ddf
-
Filesize
6KB
MD5b92bd2c332e156b2d3a78d48982c1776
SHA175d7a86f84e7ac14eaa96dce3bf95f2e3e30b02d
SHA25684cd75a40ad927773896f75bef3a851d50938a2c9fc2beb2c29885708edfb058
SHA5125ad0a44da6b4e37552153e57d72985916ec7dfc3174fe09e8b593afc0cb1a490564fc3e64a2566d4106859f55fe805c098da656b5562768818cf95070b793611
-
Filesize
977B
MD553316bc0c42b9d65743709021f1d03c7
SHA144cfe377bf7fedee2ce8f888cfacefd283e924e6
SHA256600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36
SHA5129b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6
-
Filesize
2.2MB
MD5c7b6e5fcb3c51c4cbd9058d90d088bf6
SHA1b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8
SHA2564bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707
SHA5128f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e