vobfus | 4b851113292f65082ba1d64244c0384cfaa39301adb582e394af13fe5bececa6

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
Size

524KB
MD5

e18ab1e385fcc3f1b44bf51c070c7f95
SHA1

abe55c2ceed151682ef9c27a457ec29791b7c01e
SHA256

4b851113292f65082ba1d64244c0384cfaa39301adb582e394af13fe5bececa6
SHA512

614ea4b4ceaf8fad69a8600e6dd03db4fbe28d212a649c9a363146e5c5b71c55cb79255fce69d783536d21ecf23f6f37aba6daa1017b5c047d80f9c6d8b7a437
SSDEEP

12288:l6N+HfWXmO2AyBZ1BYoheKmBXwc2zR85SAHtO:3OXQ3BZbYownJuQSAHtO

Score

10^/10

vobfus bootkit defense_evasion discovery persistence upx worm

Malware Config

Signatures

Vobfus
A widespread worm which spreads via network drives and removable media.
worm vobfus
Vobfus family
vobfus

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	shop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	shop.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run	shop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	shop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	new.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC5627A-98DF-BBEB-BBDA-79DBC6AEBDE4}	new.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FC5627A-98DF-BBEB-BBDA-79DBC6AEBDE4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6FC5627A-98DF-BBEB-BBDA-79DBC6AEBDE4}	new.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components\{6FC5627A-98DF-BBEB-BBDA-79DBC6AEBDE4}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ntsvc32\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rootkit-uncrypted.exe"	rootkit-uncrypted.exe

Executes dropped EXE 4 IoCs

pid	Process
2836	shop.exe
2712	rootkit-uncrypted.exe
2404	new.exe
2976	rootkit-uncrypted.exe

Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Safeboot\Minimal\ntsvc32	rootkit-uncrypted.exe

Loads dropped DLL 6 IoCs

pid	Process
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	shop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe"	shop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\new.exe"	new.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002c000000016d70-22.dat	upx
behavioral1/memory/3048-30-0x00000000026C0000-0x00000000026E4000-memory.dmp	upx
behavioral1/files/0x000900000001756b-46.dat	upx
behavioral1/memory/2404-53-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/3048-50-0x0000000002B40000-0x0000000002BB3000-memory.dmp	upx
behavioral1/memory/2836-109-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2836-110-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2404-111-0x0000000000400000-0x0000000000473000-memory.dmp	upx
behavioral1/memory/2404-133-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rootkit-uncrypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rootkit-uncrypted.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe
2976	rootkit-uncrypted.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	rootkit-uncrypted.exe
Token: SeDebugPrivilege	2976	rootkit-uncrypted.exe
Token: 1	2404	new.exe
Token: SeCreateTokenPrivilege	2404	new.exe
Token: SeAssignPrimaryTokenPrivilege	2404	new.exe
Token: SeLockMemoryPrivilege	2404	new.exe
Token: SeIncreaseQuotaPrivilege	2404	new.exe
Token: SeMachineAccountPrivilege	2404	new.exe
Token: SeTcbPrivilege	2404	new.exe
Token: SeSecurityPrivilege	2404	new.exe
Token: SeTakeOwnershipPrivilege	2404	new.exe
Token: SeLoadDriverPrivilege	2404	new.exe
Token: SeSystemProfilePrivilege	2404	new.exe
Token: SeSystemtimePrivilege	2404	new.exe
Token: SeProfSingleProcessPrivilege	2404	new.exe
Token: SeIncBasePriorityPrivilege	2404	new.exe
Token: SeCreatePagefilePrivilege	2404	new.exe
Token: SeCreatePermanentPrivilege	2404	new.exe
Token: SeBackupPrivilege	2404	new.exe
Token: SeRestorePrivilege	2404	new.exe
Token: SeShutdownPrivilege	2404	new.exe
Token: SeDebugPrivilege	2404	new.exe
Token: SeAuditPrivilege	2404	new.exe
Token: SeSystemEnvironmentPrivilege	2404	new.exe
Token: SeChangeNotifyPrivilege	2404	new.exe
Token: SeRemoteShutdownPrivilege	2404	new.exe
Token: SeUndockPrivilege	2404	new.exe
Token: SeSyncAgentPrivilege	2404	new.exe
Token: SeEnableDelegationPrivilege	2404	new.exe
Token: SeManageVolumePrivilege	2404	new.exe
Token: SeImpersonatePrivilege	2404	new.exe
Token: SeCreateGlobalPrivilege	2404	new.exe
Token: 31	2404	new.exe
Token: 32	2404	new.exe
Token: 33	2404	new.exe
Token: 34	2404	new.exe
Token: 35	2404	new.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
2836	shop.exe
2404	new.exe
2404	new.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 2776 wrote to memory of 3048	2776	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	30
PID 3048 wrote to memory of 2836	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	31
PID 3048 wrote to memory of 2836	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	31
PID 3048 wrote to memory of 2836	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	31
PID 3048 wrote to memory of 2836	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	31
PID 3048 wrote to memory of 2712	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	32
PID 3048 wrote to memory of 2712	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	32
PID 3048 wrote to memory of 2712	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	32
PID 3048 wrote to memory of 2712	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	32
PID 3048 wrote to memory of 2404	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	33
PID 3048 wrote to memory of 2404	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	33
PID 3048 wrote to memory of 2404	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	33
PID 3048 wrote to memory of 2404	3048	JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe	33
PID 2976 wrote to memory of 256	2976	rootkit-uncrypted.exe	1
PID 2976 wrote to memory of 332	2976	rootkit-uncrypted.exe	2
PID 2976 wrote to memory of 368	2976	rootkit-uncrypted.exe	3
PID 2976 wrote to memory of 376	2976	rootkit-uncrypted.exe	4
PID 2976 wrote to memory of 416	2976	rootkit-uncrypted.exe	5
PID 2976 wrote to memory of 464	2976	rootkit-uncrypted.exe	6
PID 2976 wrote to memory of 472	2976	rootkit-uncrypted.exe	7
PID 2976 wrote to memory of 480	2976	rootkit-uncrypted.exe	8
PID 2976 wrote to memory of 576	2976	rootkit-uncrypted.exe	9
PID 2976 wrote to memory of 656	2976	rootkit-uncrypted.exe	10
PID 2976 wrote to memory of 744	2976	rootkit-uncrypted.exe	11
PID 2976 wrote to memory of 792	2976	rootkit-uncrypted.exe	12
PID 2976 wrote to memory of 820	2976	rootkit-uncrypted.exe	13
PID 2976 wrote to memory of 972	2976	rootkit-uncrypted.exe	15
PID 2976 wrote to memory of 280	2976	rootkit-uncrypted.exe	16
PID 2976 wrote to memory of 112	2976	rootkit-uncrypted.exe	17
PID 2976 wrote to memory of 672	2976	rootkit-uncrypted.exe	18
PID 2976 wrote to memory of 1096	2976	rootkit-uncrypted.exe	19
PID 2976 wrote to memory of 1164	2976	rootkit-uncrypted.exe	20
PID 2976 wrote to memory of 1212	2976	rootkit-uncrypted.exe	21
PID 2976 wrote to memory of 1332	2976	rootkit-uncrypted.exe	23
PID 2976 wrote to memory of 1480	2976	rootkit-uncrypted.exe	24
PID 2976 wrote to memory of 1632	2976	rootkit-uncrypted.exe	25
PID 2976 wrote to memory of 2280	2976	rootkit-uncrypted.exe	26
PID 2976 wrote to memory of 1176	2976	rootkit-uncrypted.exe	27
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31
PID 2976 wrote to memory of 2836	2976	rootkit-uncrypted.exe	31

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:332

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:368
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:464
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:576
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe
      4⤵
      PID:1480
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1632
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:656
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:744
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:792
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:820
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:972
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:280
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:672
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1096
- - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
    3⤵
    PID:1332
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2280
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:1176
- - C:\Users\Admin\AppData\Local\Temp\rootkit-uncrypted.exe
    C:\Users\Admin\AppData\Local\Temp\rootkit-uncrypted.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:472
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:480

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:376

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e18ab1e385fcc3f1b44bf51c070c7f95.exe"
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Local\Temp\shop.exe
      "C:\Users\Admin\AppData\Local\Temp\shop.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\rootkit-uncrypted.exe
      "C:\Users\Admin\AppData\Local\Temp\rootkit-uncrypted.exe"
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\new.exe
      "C:\Users\Admin\AppData\Local\Temp\new.exe"
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\new.exe

Filesize
162KB

MD5
509afdca541092555e6a07b42549fdf2

SHA1
eed6f0db04fc21c7dc1e6efba85c64265ef8c837

SHA256
c1a4274d740018703e69dc45202fd811c425df531ce41276486e538a7ac210ed

SHA512
c0355e7b2295fee5784a378bab502fb4eafffffd42a3d258a836ae43fa42d5e49166025173cf311672c81bbf32b10572beebbae4df5604ca3f4884429928a16e

Download Submit
\Users\Admin\AppData\Local\Temp\rootkit-uncrypted.exe

Filesize
66KB

MD5
da8b7ef46030c3ff3253924e669cce2b

SHA1
094407e3b46b429cca656322580aed93850deb9d

SHA256
3e32e3b51345bef4ded1803099101cf2234180791658f0da242b3a18f9d73aba

SHA512
c74c6e08cfa83cbeb0cdc5b87ccb334050ca975b9e3d50349fa43347099b8301beb1cc528d6d1498d3ea19e4579735ae147233b464026e9583e02d5145a0394e

Download Submit
\Users\Admin\AppData\Local\Temp\shop.exe

Filesize
63KB

MD5
1f83f55d3a5c4a301004a795e56cf34f

SHA1
79e3a31ffe727999c005cf9913c16a6497a20440

SHA256
93f017d1c22d38951513b0dd456529e2d11bfc00d3c5df151ad052a617b0835e

SHA512
62ad5aecdd32a102bfcd6dd467558d0055c5bb1e01baed8ff5399b7ee695b7491d02e65cb3165cd96d40ca901eeb8b4de4e809487fc47d12f6bdefb52d718301

Download Submit
memory/2404-133-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2404-111-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2404-105-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/2404-106-0x000000007EE50000-0x000000007EE51000-memory.dmp

Filesize
4KB

Download
memory/2404-53-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2776-16-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2836-73-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2836-77-0x000000007EEE0000-0x000000007EEE1000-memory.dmp

Filesize
4KB

Download
memory/2836-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2836-65-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2836-66-0x000000007EF90000-0x000000007EF91000-memory.dmp

Filesize
4KB

Download
memory/2836-67-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2836-68-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download
memory/2836-78-0x000000007EED0000-0x000000007EED1000-memory.dmp

Filesize
4KB

Download
memory/2836-80-0x000000007EEB0000-0x000000007EEB1000-memory.dmp

Filesize
4KB

Download
memory/2836-84-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/2836-83-0x000000007EE80000-0x000000007EE81000-memory.dmp

Filesize
4KB

Download
memory/2836-69-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2836-70-0x000000007EF50000-0x000000007EF51000-memory.dmp

Filesize
4KB

Download
memory/2836-82-0x000000007EE90000-0x000000007EE91000-memory.dmp

Filesize
4KB

Download
memory/2836-81-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

Filesize
4KB

Download
memory/2836-79-0x000000007EEC0000-0x000000007EEC1000-memory.dmp

Filesize
4KB

Download
memory/2836-71-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2836-76-0x000000007EEF0000-0x000000007EEF1000-memory.dmp

Filesize
4KB

Download
memory/2836-75-0x000000007EF00000-0x000000007EF01000-memory.dmp

Filesize
4KB

Download
memory/2836-74-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/2836-72-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-31-0x00000000026C0000-0x00000000026E4000-memory.dmp

Filesize
144KB

Download
memory/3048-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3048-50-0x0000000002B40000-0x0000000002BB3000-memory.dmp

Filesize
460KB

Download
memory/3048-5-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-51-0x0000000002B40000-0x0000000002BB3000-memory.dmp

Filesize
460KB

Download
memory/3048-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-30-0x00000000026C0000-0x00000000026E4000-memory.dmp

Filesize
144KB

Download
memory/3048-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download