Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe
-
Size
2.2MB
-
MD5
c7b6e5fcb3c51c4cbd9058d90d088bf6
-
SHA1
b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8
-
SHA256
4bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707
-
SHA512
8f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e
-
SSDEEP
49152:e1UsIvTfS+rb9188MVfdzM3oNMLoZ6M4ejnXxrkHxLI5:BtvTfSu9xofd/Ns58Jt5
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File created C:\Windows\system32\drivers\etc\host_new JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File created C:\Windows\System32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened for modification C:\Windows\System32\drivers\etc\hosts JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard\Debugger = "svchost.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 36 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.220.220 Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.220.220 Destination IP 208.67.220.220 -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\74377\\PSd98.exe\" /s /d" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\74377\\PSd98.exe\" /s " JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key deleted \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\ JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\H: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\K: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\N: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\R: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\W: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Z: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\I: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\J: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\P: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\T: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\U: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\X: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Y: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\E: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\L: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\M: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\S: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\G: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\O: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe File opened (read-only) \??\Q: JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3728 set thread context of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 -
resource yara_rule behavioral2/memory/1960-1-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-3-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-4-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-5-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-266-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-268-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-277-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-284-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-272-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-271-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-267-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-285-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-286-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-287-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-312-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-389-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-391-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-399-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-387-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-341-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-340-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-311-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-333-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-309-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-308-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-408-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-410-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-411-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-412-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-414-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-415-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-424-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-423-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-425-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-426-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-437-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-438-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-442-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-453-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-463-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-464-0x0000000013140000-0x000000001372D000-memory.dmp upx behavioral2/memory/1960-486-0x0000000013140000-0x000000001372D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mofcomp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nslookup.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "44692" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\BrowserEmulation JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\ = "Implements DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeSecurityPrivilege 3968 mofcomp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 PID 3728 wrote to memory of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 PID 3728 wrote to memory of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 PID 3728 wrote to memory of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 PID 3728 wrote to memory of 1960 3728 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 85 PID 1960 wrote to memory of 3968 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 98 PID 1960 wrote to memory of 3968 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 98 PID 1960 wrote to memory of 3968 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 98 PID 1960 wrote to memory of 4828 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 99 PID 1960 wrote to memory of 4828 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 99 PID 1960 wrote to memory of 4828 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 99 PID 1960 wrote to memory of 2744 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 102 PID 1960 wrote to memory of 2744 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 102 PID 1960 wrote to memory of 2744 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 102 PID 1960 wrote to memory of 936 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 104 PID 1960 wrote to memory of 936 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 104 PID 1960 wrote to memory of 936 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 104 PID 1960 wrote to memory of 3016 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 106 PID 1960 wrote to memory of 3016 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 106 PID 1960 wrote to memory of 3016 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 106 PID 1960 wrote to memory of 3388 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 110 PID 1960 wrote to memory of 3388 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 110 PID 1960 wrote to memory of 3388 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 110 PID 1960 wrote to memory of 448 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 112 PID 1960 wrote to memory of 448 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 112 PID 1960 wrote to memory of 448 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 112 PID 1960 wrote to memory of 1684 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 114 PID 1960 wrote to memory of 1684 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 114 PID 1960 wrote to memory of 1684 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 114 PID 1960 wrote to memory of 2372 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 116 PID 1960 wrote to memory of 2372 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 116 PID 1960 wrote to memory of 2372 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 116 PID 1960 wrote to memory of 1852 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 118 PID 1960 wrote to memory of 1852 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 118 PID 1960 wrote to memory of 1852 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 118 PID 1960 wrote to memory of 1416 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 120 PID 1960 wrote to memory of 1416 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 120 PID 1960 wrote to memory of 1416 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 120 PID 1960 wrote to memory of 1844 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 122 PID 1960 wrote to memory of 1844 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 122 PID 1960 wrote to memory of 1844 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 122 PID 1960 wrote to memory of 4440 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 124 PID 1960 wrote to memory of 4440 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 124 PID 1960 wrote to memory of 4440 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 124 PID 1960 wrote to memory of 4820 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 126 PID 1960 wrote to memory of 4820 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 126 PID 1960 wrote to memory of 4820 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 126 PID 1960 wrote to memory of 3548 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 128 PID 1960 wrote to memory of 3548 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 128 PID 1960 wrote to memory of 3548 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 128 PID 1960 wrote to memory of 1700 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 130 PID 1960 wrote to memory of 1700 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 130 PID 1960 wrote to memory of 1700 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 130 PID 1960 wrote to memory of 888 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 132 PID 1960 wrote to memory of 888 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 132 PID 1960 wrote to memory of 888 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 132 PID 1960 wrote to memory of 3872 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 134 PID 1960 wrote to memory of 3872 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 134 PID 1960 wrote to memory of 3872 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 134 PID 1960 wrote to memory of 1312 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 136 PID 1960 wrote to memory of 1312 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 136 PID 1960 wrote to memory of 1312 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 136 PID 1960 wrote to memory of 1376 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 138 PID 1960 wrote to memory of 1376 1960 JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe 138
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe"2⤵
- Enumerates VirtualBox registry keys
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks for any installed AV software in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp "C:\Users\Admin\AppData\Local\Temp\7133.mof"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Windows\SysWOW64\netsh.exenetsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7b6e5fcb3c51c4cbd9058d90d088bf6.exe" "PC Security Guardian" ENABLE3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4828
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:2744
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:936
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:3388
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:448
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1684
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt kll140syfjllnraj.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:1852
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:4440
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:3548
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1700
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt cllr406rswfjprx.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:3872
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1312
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 8.8.8.83⤵
- System Location Discovery: System Language Discovery
PID:1376
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:3152
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 208.67.222.2223⤵
- System Location Discovery: System Language Discovery
PID:3328
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1440
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 8.8.4.43⤵
- System Location Discovery: System Language Discovery
PID:1048
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.com 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\nslookup.exenslookup -q=txt gpwbipwb1035fhnp.net 208.67.220.2203⤵
- System Location Discovery: System Language Discovery
PID:4060
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5c7b6e5fcb3c51c4cbd9058d90d088bf6
SHA1b2057fcbac47dfa1c92df2ad0a3d6f78aefe00a8
SHA2564bd6365e1357e4d66aeb3b4d97da320316d01830b362ea6a61ce159e81c1c707
SHA5128f57c6450979ff9bdfaf5fd1431f339999e7388e0ed60247acc188c7688beba273a2aa8351cdcd1eca260308b8750f5a5fbda7c78121d9a227c727abc9a7fd9e
-
Filesize
196B
MD56e86650ad96258b23f022605c5f202d5
SHA1321290e91871cb653441e3c87ee8b20ab5f008a0
SHA2568c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223
SHA512e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c
-
Filesize
385B
MD59b5dd3a84ef3c61e20bf565f5a446d79
SHA1fc35036fb03ee83cee9d5dc576a0d1628e0eb79e
SHA256705a6156679e44205f8a5b42950ca3e85120e34b5d504f0d3936598e3f0ac3f6
SHA512937218480305bc57cc046f4e2fc98dd402ad686571a44071732c8a5865398d111c56e2af57526cf1b346b15fa3f0c7b5cb34b6c02758354b476dccd151853c25
-
Filesize
2KB
MD58726c69e8f4d01cc58895294b704281a
SHA1135f4a814135a24960e0c73240723e6a7162302b
SHA25670a1118b94b74711f28334e2bb79ad2f052e723415b283b08fbe93243d98fb9f
SHA512ddcda26c6c6b350245947646156a30a0b23420dae816d1b5ca03a1f63398ab2c702fc87efe6869a5b344c5b703fd473477518f873c7e9c33a1ab1f1ea2a2dded
-
Filesize
2KB
MD5bbfeecdf0b80a981d02b333151678f28
SHA1a3488be9cf67b1724afb6e210b75f67ea1b846d2
SHA256f45d461cd1ffc995bafd1d2469904099dec8e7d08eedb8042df39f48146ee2b5
SHA512838a54c74e766ec728e6f02102c6a098545665963e8b998cb0e31f79483db1ee5ddb77f13c26a360bcdd15ca218a1e20edbddcf86e0124fa2983711b83fade79
-
Filesize
2KB
MD51cc617d857f7fa93093c29deb7d66b6b
SHA15f2cfedaf055ae8ddc99a4ed59f7ac4acf015126
SHA2566a685f497708e617af448a2587a881dbb1b51eaacf6e6e1ee7a81c1dfb9e69fa
SHA512a009450e54e1b6eae9093949bf529c5af654172da66cf79cbedebb94945ac88e27863e5918d7d085f5cb3a959caf84faa5ee0d9e1a2691d4f2b2c127f629c10e
-
Filesize
185B
MD5b8224e5293d4fad1927c751cc00c80e7
SHA1270b8c752c7e93ec5485361fe6ef7b37f0b4513b
SHA256c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61
SHA5128fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2
-
Filesize
338B
MD5f1105ae1645a228e4054effbed8c2901
SHA15a7940e396bcbcb7e8f3275e880811c3b10d1edf
SHA2567e46f4279ddc4d534d8825da38d1fd6f8d9cce2f13c4768d3f28a7fe2f0c3e2b
SHA5120e4f1fbd1e1da4c518aa26268d002fa837e31fdd95070a4081b971c24a86c56b0a5b1cf5b420a05fdbc1d60f78a19abde2bff9f4c30c44cbaedc8439756f4ddf
-
Filesize
11KB
MD51f9ae3566e6e15208c2d525ac99b1c8a
SHA161704dd0fd4f5955aec3187f381eb3e04eed85aa
SHA2566e544c24c43d8a6084d83dcd3cff42a8480b5776b0dbe7be9b000f558e2fb373
SHA512b74dbc4db05579767f01dd17e1c8d75b7e80a3e52626ec39daacd5cb559e8a8aecd628a5384f49888f766fd73cb770761c6a0deebdf8f3d0f825ac6d1bc20e4c
-
Filesize
1KB
MD5008fba141529811128b8cd5f52300f6e
SHA11a350b35d82cb4bd7a924b6840c36a678105f793
SHA256ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84
SHA51280189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc