Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2025 21:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
Resource
win7-20240729-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe
-
Size
1.4MB
-
MD5
07c23df001df7e506492963e3da1f05d
-
SHA1
cfc0f3f9ae3573338eab8a6c21fc03d0e5ccf072
-
SHA256
82521bc29ba647a7ce9b04dd2ddfd8e5a4e6aea8f1cea324d5061725e620e9a1
-
SHA512
17e05336fc8f51713830f0012a9a008b94c2e4296ee9f31ac9d3e543fbbef1ae23097ffbe35f04c9414b2592352e3e61ebd7a3c316692d6ba1dddcd6aed6ffe2
-
SSDEEP
24576:Ug25Nb0iuknMq8iDthEVaPqLnu+ws7GkyIpf1xlC1EKErHZH4NmXlRLuS63ZyKnT:dJjMXEVUcuMqOf17C1EPrHZXLQpGaN
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\Setup.exe" Stage1.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" explorer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2.exe -
Executes dropped EXE 4 IoCs
pid Process 2064 1.exe 1500 2.exe 2836 Stage2.exe 1864 Stage1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Windupdt\\Setup.exe" Stage1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Windupdt\\Setup.exe" notepad.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2064-192-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral2/memory/2064-193-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe behavioral2/memory/2064-288-0x0000000000400000-0x00000000004B6000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1864 set thread context of 4032 1864 Stage1.exe 104 -
resource yara_rule behavioral2/files/0x0032000000023b77-8.dat upx behavioral2/memory/2064-14-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/files/0x000a000000023b7e-20.dat upx behavioral2/memory/2064-192-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/2064-193-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/memory/2064-288-0x0000000000400000-0x00000000004B6000-memory.dmp upx behavioral2/files/0x000a000000023b7b-292.dat upx behavioral2/memory/1500-298-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/files/0x0016000000023c3a-306.dat upx behavioral2/memory/2836-313-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/2836-317-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/files/0x0008000000023c40-318.dat upx behavioral2/memory/1864-320-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-324-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-325-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/1864-328-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-327-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-334-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-333-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/1500-338-0x0000000000400000-0x0000000000424000-memory.dmp upx behavioral2/memory/4032-332-0x0000000013140000-0x000000001320B000-memory.dmp upx behavioral2/memory/4032-330-0x0000000013140000-0x000000001320B000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Seigle.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Any_Ingore.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Graph_x2.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Kobalt.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Jlvl.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Jlvl.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Fer.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Invite_Group_Close.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Complet.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Cuivre.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End2.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Bucheron_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_On.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost2.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Graph_x2.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_Plvl.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Malt.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Orge.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Ble.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Argent.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Bronze.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Bucheron_On.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\DBL_CL_Ble.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\plus1.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End2.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Kobalt.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_CBT_Cbar.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Complet.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_FloconsAvoine.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Ble.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Bronze.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Cuivre.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Cereales.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Consistant.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Fer.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Win_CBT_Cbar.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\BitBot FJ.ico 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_Off.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Cereales.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Champs.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Orge.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_Amakna.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Diver_Pain_FloconsAvoine.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\UI_Frost.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Paysan_On.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Craft_End.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Ble.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Manganese.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Bank_Access.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\bot_req.dll 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Bucheron_Off.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\plus1.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Avoine.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Malt.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\BitBot FJ.exe 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_Off.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Pecheur_Off.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\Win_Graph_x0.Bbot 1.exe File created C:\Program Files (x86)\BitBot FJ 2\_database\ColSee_Mineur_On.Bbot 1.exe File opened for modification C:\Program Files (x86)\BitBot FJ 2\_database\Ressource_Farine_Orge.Bbot 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stage2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stage1.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Stage1.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier Stage1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2064 1.exe 4032 explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1864 Stage1.exe Token: SeSecurityPrivilege 1864 Stage1.exe Token: SeTakeOwnershipPrivilege 1864 Stage1.exe Token: SeLoadDriverPrivilege 1864 Stage1.exe Token: SeSystemProfilePrivilege 1864 Stage1.exe Token: SeSystemtimePrivilege 1864 Stage1.exe Token: SeProfSingleProcessPrivilege 1864 Stage1.exe Token: SeIncBasePriorityPrivilege 1864 Stage1.exe Token: SeCreatePagefilePrivilege 1864 Stage1.exe Token: SeBackupPrivilege 1864 Stage1.exe Token: SeRestorePrivilege 1864 Stage1.exe Token: SeShutdownPrivilege 1864 Stage1.exe Token: SeDebugPrivilege 1864 Stage1.exe Token: SeSystemEnvironmentPrivilege 1864 Stage1.exe Token: SeChangeNotifyPrivilege 1864 Stage1.exe Token: SeRemoteShutdownPrivilege 1864 Stage1.exe Token: SeUndockPrivilege 1864 Stage1.exe Token: SeManageVolumePrivilege 1864 Stage1.exe Token: SeImpersonatePrivilege 1864 Stage1.exe Token: SeCreateGlobalPrivilege 1864 Stage1.exe Token: 33 1864 Stage1.exe Token: 34 1864 Stage1.exe Token: 35 1864 Stage1.exe Token: 36 1864 Stage1.exe Token: SeIncreaseQuotaPrivilege 4032 explorer.exe Token: SeSecurityPrivilege 4032 explorer.exe Token: SeTakeOwnershipPrivilege 4032 explorer.exe Token: SeLoadDriverPrivilege 4032 explorer.exe Token: SeSystemProfilePrivilege 4032 explorer.exe Token: SeSystemtimePrivilege 4032 explorer.exe Token: SeProfSingleProcessPrivilege 4032 explorer.exe Token: SeIncBasePriorityPrivilege 4032 explorer.exe Token: SeCreatePagefilePrivilege 4032 explorer.exe Token: SeBackupPrivilege 4032 explorer.exe Token: SeRestorePrivilege 4032 explorer.exe Token: SeShutdownPrivilege 4032 explorer.exe Token: SeDebugPrivilege 4032 explorer.exe Token: SeSystemEnvironmentPrivilege 4032 explorer.exe Token: SeChangeNotifyPrivilege 4032 explorer.exe Token: SeRemoteShutdownPrivilege 4032 explorer.exe Token: SeUndockPrivilege 4032 explorer.exe Token: SeManageVolumePrivilege 4032 explorer.exe Token: SeImpersonatePrivilege 4032 explorer.exe Token: SeCreateGlobalPrivilege 4032 explorer.exe Token: 33 4032 explorer.exe Token: 34 4032 explorer.exe Token: 35 4032 explorer.exe Token: 36 4032 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4032 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2064 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 84 PID 2324 wrote to memory of 2064 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 84 PID 2324 wrote to memory of 2064 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 84 PID 2324 wrote to memory of 1500 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 99 PID 2324 wrote to memory of 1500 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 99 PID 2324 wrote to memory of 1500 2324 JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe 99 PID 1500 wrote to memory of 2836 1500 2.exe 100 PID 1500 wrote to memory of 2836 1500 2.exe 100 PID 1500 wrote to memory of 2836 1500 2.exe 100 PID 1500 wrote to memory of 1864 1500 2.exe 102 PID 1500 wrote to memory of 1864 1500 2.exe 102 PID 1500 wrote to memory of 1864 1500 2.exe 102 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 3396 1864 Stage1.exe 103 PID 1864 wrote to memory of 4032 1864 Stage1.exe 104 PID 1864 wrote to memory of 4032 1864 Stage1.exe 104 PID 1864 wrote to memory of 4032 1864 Stage1.exe 104 PID 1864 wrote to memory of 4032 1864 Stage1.exe 104 PID 1864 wrote to memory of 4032 1864 Stage1.exe 104 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 4032 wrote to memory of 4868 4032 explorer.exe 105 PID 1500 wrote to memory of 2588 1500 2.exe 106 PID 1500 wrote to memory of 2588 1500 2.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c23df001df7e506492963e3da1f05d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\Stage2.exe"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exe"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"3⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"4⤵
- Windows security bypass
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
- System Location Discovery: System Language Discovery
PID:4868
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD541565340e04eb86960f35193ee8b44cc
SHA12d07edee43db8f6fc373db271a7554bcf48d4a6c
SHA2561242e99af6c5c3f672a1b762a7ad117ff2625c3c5213c8ebcc59b8989f66576f
SHA512130ba52ddf594f7073ba36d062631d0bdbcefc297adcfbac87133aad1ad56c26d4df6fa80f4b8e0a724874f50b1e0665e556659d92c0da578eddf3446c67ba7c
-
Filesize
174B
MD58f4c8f503029238e6e8bfa2d7fdfba16
SHA196981aad99ee28e2e2b03123f9a40d56adfa2974
SHA25676e7689dfd28599a1cb0a3ba07e0dce18059665feaa1594d032bbd56de5f9e5b
SHA512ad36f1d152d19feafbe60017c4af482531363e057d8916f57a9da978276edfe098b324c5994780b1d3e658c2e7e87f9478f47b0d358184de17f2033e590b8f35
-
Filesize
145B
MD5c52bb42eb4ff9ae597f4af1f11cc2f1b
SHA18c4dc82895ccaef20de2c6e17e0f9a97606a2385
SHA2567bbe791597f3f4d33a6b644a7ce18697af99cbe6e94090b237e29e35c13effd2
SHA5126d38d40ed6748b875bc3522b3b0cf8fcfa833a5465307930781c49fa82564738d77b064b7227c1c212516ed326f74cf741cbf43fe490532c160465f4b3d023a2
-
Filesize
1.0MB
MD5bc1afcaeb1b45f7ccd31e5bde24939d3
SHA1cc980868659717038216c5978d8b40841e7a0ec3
SHA256c66e002c3d8d9cbc35cdb6d535fe40399b7b9da1f1ea1ef5834ec76d2a948a7e
SHA51257c9a2b5711f21c29163fc7e5ac282f4f10bfa7636976e4dce1f262ab9a3c437c03a050b6ccf90782f9602a852b79397d4c7dafedbaebf444d778b18d6271220
-
Filesize
401KB
MD5f8c5926a9bf359b28192e55aa40ff18a
SHA18997a6da2c8b45dc64b0349c3681c0d97593c3b3
SHA256b45e7fd9c942c759d38387e181123395f8a7bab0f2fd5a5d28c59b6e98f95775
SHA5121bf56ea91ddb62501391b58bea6ad4113d49645493f0f54c298e662284093ba234c0c734167adc9f66b5bbcb75b670961b71fe2e9434bde23cd7e258512280e4
-
Filesize
174B
MD594d62832943fa8f282367ca15255a25b
SHA13ccbcde23a806b376cea982be7959f26c8c7785e
SHA2561f638f58006bdb99d8c02d55f19d72a90bd35a50b6cfe55055ec9a0ea400ac2c
SHA512c3d901d178051c87b74c7e75c74667f54b66290e76dc1b74cfb2b5646d6b65fa5edeea5569eb75aa1e246c56dd626b212fa9064c7fe538ca10b9100dc295df78
-
Filesize
274KB
MD57ef9436de5200165b69e84ad33b0bc19
SHA1513263ce9f3e59bc845b4de1fda64a74791d6bc6
SHA25652c27b43586d97e005a9a361853909ca3f3783f991043225e166eead45a77d0a
SHA512bf059c9f017f50c43905f8f310dba2948d07202d3366cdc908c62d94f63ff777813eec8c641241675ebe8bfefee17da9790f4203fcec7ce59a3df9c0f67b2704
-
Filesize
354KB
MD5f8f015c0b26b447e95e2e2560972d741
SHA19f7e22363a0629eeb6501f2634cf99dd56033552
SHA256c35acae057c64277d9376c1138c61d255d367cbe288ec38817c6a3ede358c422
SHA512e9890491a5eeac5bd3e31cd2105aa5f23b3a59ad0cf583f3c8c5538e1851d6296be049620b94133fd53c348a77d2e42a26dfadbc2abdc440e69c8ffd32e572e7
-
Filesize
561KB
MD580312477c330b77d4e9a4937e4e26f5c
SHA1e0ec277f7f496f5726b1edc1a51b10c1d04ae982
SHA256cf02bf81c50c2a77a44d01ed91ec85575fd79f6e23df79ea2487bd3b939ee3ba
SHA51207ed5e7d8a41cfae0855db8d4a9ab4223dadbd73d98ee1cd4c4aa81b8e302e98b679d00c992b9b200a4cce5570e02aea81700336ae7f44b835a9b0310eaf2a40