Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 20:23
Behavioral task
behavioral1
Sample
JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe
-
Size
2.5MB
-
MD5
97e8e9dace053f080fefae2c7998c42d
-
SHA1
157d70f91958686aa0c5aa97eb65e524b3e0db82
-
SHA256
4921494fbab192c1d202585f16ef5cd46628ce8175c967d65a6dd1c98bf37b07
-
SHA512
134f9891dea763f4dac798043e39d18b7bd7e851991d993f1702f9ce3973b52362d2273de87cfda8d974628991cd8d60a238c9a7e9e017d70e0fd3b9c120345d
-
SSDEEP
49152:h/jv6c3CLcIKEkFnJVYAOVUdYmrJh5IzdzQCfV4+81G:t29pWc2BjIvu+iG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/files/0x0008000000016c8c-10.dat modiloader_stage2 behavioral1/memory/2860-173-0x0000000000400000-0x00000000004BD000-memory.dmp modiloader_stage2 -
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000600000001904c-112.dat acprotect behavioral1/files/0x00050000000187a2-141.dat acprotect behavioral1/files/0x0015000000018676-137.dat acprotect behavioral1/files/0x00060000000190e1-133.dat acprotect behavioral1/files/0x00050000000191d2-129.dat acprotect -
Executes dropped EXE 9 IoCs
pid Process 2860 1.exe 2696 csolzdmz0602.exe 2596 CTFNOM.exe 2732 CTFN0M.exe 2592 CTFMOM.exe 2316 CTFM0M.exe 2228 CTFM0N.exe 1984 CIFN0N.exe 2248 csolzdmz0602.exe -
Loads dropped DLL 30 IoCs
pid Process 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2592 CTFMOM.exe 2732 CTFN0M.exe 2696 csolzdmz0602.exe 2228 CTFM0N.exe 2316 CTFM0M.exe 1984 CIFN0N.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\SysWOW64\csolzdmz0602.exe csolzdmz0602.exe File opened for modification C:\Windows\SysWOW64\qzp3jTZCSfSh.dll CIFN0N.exe File opened for modification C:\Windows\SysWOW64\xg4hAPNygs29.dll CTFM0N.exe File created C:\Windows\SysWOW64\CTFNOM.exe csolzdmz0602.exe File created C:\Windows\SysWOW64\CTFN0M.exe csolzdmz0602.exe File created C:\Windows\SysWOW64\CTFM0N.exe csolzdmz0602.exe File created C:\Windows\SysWOW64\CIFN0N.exe csolzdmz0602.exe File opened for modification C:\Windows\SysWOW64\JPccCJnKygDdp3.dll CTFMOM.exe File opened for modification C:\Windows\SysWOW64\Qh6xX7VN48sVPnK.dll CTFN0M.exe File created C:\Windows\SysWOW64\CTFMOM.exe csolzdmz0602.exe File created C:\Windows\SysWOW64\CTFM0M.exe csolzdmz0602.exe -
resource yara_rule behavioral1/memory/2704-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2704-19-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x00070000000174a6-71.dat upx behavioral1/memory/2732-99-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/files/0x000600000001904c-112.dat upx behavioral1/memory/1984-124-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2248-143-0x0000000003F20000-0x0000000003F32000-memory.dmp upx behavioral1/memory/2316-142-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/files/0x00050000000187a2-141.dat upx behavioral1/memory/2248-139-0x00000000037C0000-0x00000000037D2000-memory.dmp upx behavioral1/memory/2248-138-0x0000000003710000-0x0000000003722000-memory.dmp upx behavioral1/files/0x0015000000018676-137.dat upx behavioral1/memory/2248-136-0x0000000002560000-0x0000000002571000-memory.dmp upx behavioral1/memory/2248-134-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/files/0x00060000000190e1-133.dat upx behavioral1/files/0x00050000000191d2-129.dat upx behavioral1/memory/2732-119-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2316-118-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2228-117-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/files/0x00060000000174c3-96.dat upx behavioral1/files/0x0009000000016da7-95.dat upx behavioral1/memory/2592-89-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/1984-88-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2228-87-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/files/0x0007000000016d47-65.dat upx behavioral1/memory/2316-64-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2696-63-0x0000000000360000-0x0000000000369000-memory.dmp upx behavioral1/files/0x0007000000016d4f-62.dat upx behavioral1/memory/2592-55-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2592-156-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/1984-155-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/2696-43-0x0000000000360000-0x0000000000369000-memory.dmp upx behavioral1/memory/2696-36-0x0000000000360000-0x0000000000369000-memory.dmp upx behavioral1/memory/2596-34-0x0000000000400000-0x000000000040C000-memory.dmp upx behavioral1/files/0x0007000000016d36-31.dat upx behavioral1/memory/2696-23-0x0000000000360000-0x000000000036C000-memory.dmp upx behavioral1/memory/2316-165-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/1984-171-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2228-168-0x0000000010000000-0x0000000010011000-memory.dmp upx behavioral1/memory/2592-162-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2732-159-0x0000000010000000-0x0000000010012000-memory.dmp upx behavioral1/memory/2248-172-0x00000000037C0000-0x00000000037D2000-memory.dmp upx behavioral1/memory/2248-175-0x0000000003F20000-0x0000000003F32000-memory.dmp upx -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\fOnts\qWskzsQA6.Ttf CIFN0N.exe File opened for modification C:\Windows\fonts\zEfE48cw9EmcFaR.fon CTFM0M.exe File opened for modification C:\Windows\fOnts\uawyv9Pr.Ttf CTFMOM.exe File opened for modification C:\Windows\fOnts\CcKKcpwJmND4.Ttf CTFN0M.exe File opened for modification C:\Windows\fOnts\K7XaTBMWp8TPrYgw.Ttf CTFM0N.exe File opened for modification C:\Windows\fOnts\CSzZ3gVtf.Ttf CTFM0M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFM0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csolzdmz0602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csolzdmz0602.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFMOM.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFM0M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CIFN0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFN0M.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main csolzdmz0602.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32 CTFN0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32\ = "C:\\Windows\\SysWow64\\JPccCJnKygDdp3.dll" CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID CTFM0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ = "C:\\Windows\\fonts\\zEfE48cw9EmcFaR.fon" CTFM0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32\ThreadingModel = "Apartment" CTFM0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32\ThreadingModel = "Apartment" CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F} CTFM0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32\ThreadingModel = "Apartment" CTFM0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32 CTFM0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32 CIFN0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID CIFN0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32 CIFN0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32\ThreadingModel = "Apartment" CIFN0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CTFN0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B} CIFN0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID CTFN0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA} CTFN0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32 CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38} CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9726072A-8039-4958-B609-565CF7A16B38}\InprocServer32 CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CTFM0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CIFN0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32\ = "C:\\Windows\\SysWow64\\Qh6xX7VN48sVPnK.dll" CTFN0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID CTFMOM.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32 CTFM0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID CTFM0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89} CTFM0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32 CTFM0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB900155-F1F0-4165-9E73-67BC13BBCE89}\InprocServer32\ = "C:\\Windows\\SysWow64\\xg4hAPNygs29.dll" CTFM0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32 CTFN0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B8898C49-7B3A-4306-A9EF-8E186EDEE5EA}\InprocServer32\ThreadingModel = "Apartment" CTFN0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node CTFM0M.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762D618C-E2CB-4217-8275-03302A93073F}\InprocServer32 CTFM0M.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F5EEDE5-1687-49D2-8A17-FF0B454FB37B}\InprocServer32\ = "C:\\Windows\\SysWow64\\qzp3jTZCSfSh.dll" CIFN0N.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2732 CTFN0M.exe 2732 CTFN0M.exe 2592 CTFMOM.exe 2592 CTFMOM.exe 2316 CTFM0M.exe 2228 CTFM0N.exe 2228 CTFM0N.exe 2316 CTFM0M.exe 1984 CIFN0N.exe 1984 CIFN0N.exe 2732 CTFN0M.exe 2592 CTFMOM.exe 2228 CTFM0N.exe 2316 CTFM0M.exe 1984 CIFN0N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2248 csolzdmz0602.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2592 CTFMOM.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe Token: SeDebugPrivilege 2732 CTFN0M.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2696 csolzdmz0602.exe 2696 csolzdmz0602.exe 2732 CTFN0M.exe 2592 CTFMOM.exe 2316 CTFM0M.exe 2228 CTFM0N.exe 1984 CIFN0N.exe 2248 csolzdmz0602.exe 2248 csolzdmz0602.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2860 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 30 PID 2704 wrote to memory of 2860 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 30 PID 2704 wrote to memory of 2860 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 30 PID 2704 wrote to memory of 2860 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 30 PID 2704 wrote to memory of 2696 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 31 PID 2704 wrote to memory of 2696 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 31 PID 2704 wrote to memory of 2696 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 31 PID 2704 wrote to memory of 2696 2704 JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe 31 PID 2696 wrote to memory of 2596 2696 csolzdmz0602.exe 32 PID 2696 wrote to memory of 2596 2696 csolzdmz0602.exe 32 PID 2696 wrote to memory of 2596 2696 csolzdmz0602.exe 32 PID 2696 wrote to memory of 2596 2696 csolzdmz0602.exe 32 PID 2696 wrote to memory of 2732 2696 csolzdmz0602.exe 33 PID 2696 wrote to memory of 2732 2696 csolzdmz0602.exe 33 PID 2696 wrote to memory of 2732 2696 csolzdmz0602.exe 33 PID 2696 wrote to memory of 2732 2696 csolzdmz0602.exe 33 PID 2696 wrote to memory of 2592 2696 csolzdmz0602.exe 34 PID 2696 wrote to memory of 2592 2696 csolzdmz0602.exe 34 PID 2696 wrote to memory of 2592 2696 csolzdmz0602.exe 34 PID 2696 wrote to memory of 2592 2696 csolzdmz0602.exe 34 PID 2696 wrote to memory of 2316 2696 csolzdmz0602.exe 35 PID 2696 wrote to memory of 2316 2696 csolzdmz0602.exe 35 PID 2696 wrote to memory of 2316 2696 csolzdmz0602.exe 35 PID 2696 wrote to memory of 2316 2696 csolzdmz0602.exe 35 PID 2696 wrote to memory of 2228 2696 csolzdmz0602.exe 36 PID 2696 wrote to memory of 2228 2696 csolzdmz0602.exe 36 PID 2696 wrote to memory of 2228 2696 csolzdmz0602.exe 36 PID 2696 wrote to memory of 2228 2696 csolzdmz0602.exe 36 PID 2696 wrote to memory of 1984 2696 csolzdmz0602.exe 37 PID 2696 wrote to memory of 1984 2696 csolzdmz0602.exe 37 PID 2696 wrote to memory of 1984 2696 csolzdmz0602.exe 37 PID 2696 wrote to memory of 1984 2696 csolzdmz0602.exe 37 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2696 wrote to memory of 2248 2696 csolzdmz0602.exe 38 PID 2732 wrote to memory of 1836 2732 CTFN0M.exe 39 PID 2732 wrote to memory of 1836 2732 CTFN0M.exe 39 PID 2732 wrote to memory of 1836 2732 CTFN0M.exe 39 PID 2732 wrote to memory of 1836 2732 CTFN0M.exe 39 PID 2592 wrote to memory of 1708 2592 CTFMOM.exe 41 PID 2592 wrote to memory of 1708 2592 CTFMOM.exe 41 PID 2592 wrote to memory of 1708 2592 CTFMOM.exe 41 PID 2592 wrote to memory of 1708 2592 CTFMOM.exe 41 PID 2316 wrote to memory of 672 2316 CTFM0M.exe 43 PID 2316 wrote to memory of 672 2316 CTFM0M.exe 43 PID 2316 wrote to memory of 672 2316 CTFM0M.exe 43 PID 2316 wrote to memory of 672 2316 CTFM0M.exe 43 PID 2228 wrote to memory of 888 2228 CTFM0N.exe 45 PID 2228 wrote to memory of 888 2228 CTFM0N.exe 45 PID 2228 wrote to memory of 888 2228 CTFM0N.exe 45 PID 2228 wrote to memory of 888 2228 CTFM0N.exe 45 PID 1984 wrote to memory of 1744 1984 CIFN0N.exe 47 PID 1984 wrote to memory of 1744 1984 CIFN0N.exe 47 PID 1984 wrote to memory of 1744 1984 CIFN0N.exe 47 PID 1984 wrote to memory of 1744 1984 CIFN0N.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_97e8e9dace053f080fefae2c7998c42d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\Temp\1.exe"2⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\csolzdmz0602.exe"C:\Users\Admin\AppData\Local\Temp\Temp\csolzdmz0602.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\CTFNOM.exe"C:\Windows\system32\CTFNOM.exe"3⤵
- Executes dropped EXE
PID:2596
-
-
C:\Windows\SysWOW64\CTFN0M.exe"C:\Windows\system32\CTFN0M.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFN0M.exe >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1836
-
-
-
C:\Windows\SysWOW64\CTFMOM.exe"C:\Windows\system32\CTFMOM.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFMOM.exe >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
-
C:\Windows\SysWOW64\CTFM0M.exe"C:\Windows\system32\CTFM0M.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFM0M.exe >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:672
-
-
-
C:\Windows\SysWOW64\CTFM0N.exe"C:\Windows\system32\CTFM0N.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CTFM0N.exe >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
-
C:\Windows\SysWOW64\CIFN0N.exe"C:\Windows\system32\CIFN0N.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CIFN0N.exe >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Windows\SysWOW64\csolzdmz0602.exe"C:\Windows\system32\csolzdmz0602.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
673KB
MD53fa55dd4cdfea45cf39db40311d634c9
SHA138dcc3328d58ca9055c7f9201f71a9164bbc9f66
SHA256182e31f4069d482ee5923d8eb6aa62989f9f8cc6755ef05ec6c82398e509affb
SHA512cc9a39b9e0eb83c39a338d2dbf862768bde1ff67c0127f2e8cfd83e4a00f935a1f3ca6337042f680bb653922e6ae12bb89d9499a3eca65886ad4a4e0f39bd6ef
-
Filesize
2.2MB
MD58d2b0070e22e2a0296f9d506522d701a
SHA13120b4fc1cad0da0f978e90c7d630be9e4e36400
SHA25622ec9cb8d3d987dbf29f4e6a037ab8dcd46e653daac3e0c64f73626301b2b6ee
SHA5125f907d7039321887c1bec8363c80402cbcf6e70b4d1c7989d7805e49c22ea72d19fc53635a666a2c0616d7e506fc7cbddd75a9d215dba1f44a410b4c7171352a
-
Filesize
27KB
MD55a2d423664f3a1a89aad7b9cc55eeb85
SHA18c5a43e179ecb381f562df9a9ba68db81a325888
SHA2564ab89f4926d59bb1ead6ecbe6242d607e4cbf547646af86ab7c3404429be4c2e
SHA512942576897f6e0436b34bee31adfdb3af1da84645e7bb26af02d82a7a95081e328a7cbdce4fbaa2b953cb3f0a999a8d4c6d94c3ae7b776412a52a4ed32c5d8077
-
Filesize
26KB
MD50c43996f86418385658a10579166bf82
SHA1f5160bb14e1e72b801706425d281041045450833
SHA256a4185fb096a3ce67b1f5c8e2137df19f33d8cbffb337d587ba1eacc316fa8279
SHA5122b75f320be629d60acfd9edc1e2f59b1e645f65a366648d54a71c897b2342bc050ef732599c0ccce1f8e7d7a476899451fd3b8c113a4ef58df98d8df4bceccc1
-
Filesize
23KB
MD5102f44e4df328a8a1326a115a604275e
SHA197c90ee748a7f805ac386c36d3893376f10d7c1c
SHA25656da6a991fd4cc55778f133985870be054c20bf7586b005bfa0720824d4b0762
SHA5123b2eb105f7c0d0f63929e820358a2656c92eb19d38e4425e5237c329f617325efc50d1384ec7fa54dbe716ca6c79c2b37e448129479ead641ba10dac95bfeaaa
-
Filesize
25KB
MD5ec7d978d43f112ce58bd5e43ff942a50
SHA1f9686692015bdaf59905ad9696bd760ced23ba69
SHA2568f813edfb2a29d0cd467e1e635cf02db75503d2761fc0796e261b5e61191e03b
SHA51279be954b9f836be049d083688cc0120c5232d85ea4c59dd4461c33011631584efb3914ede7cee2616569bb48ce486a8cdbf6529711c0bdf42ac24e08e5b95f4c
-
Filesize
27KB
MD5c00d61797214ee2c62bd6044409029dc
SHA1a67e9c4cd342293f41eda15e746c699e572c53e0
SHA25613dca89434b9a0c00d2e4f8fe82e99ecfbed82830c96f5f9e9018786f367d499
SHA512129b2f3de52c52e99a306a5126375291d93b54d1ba27485c66d7d513f269866b719fd503299f8511d26bd124fb4e889cf8aebcd0b0d9adc5bd831e26bcaf154f
-
Filesize
15KB
MD5ddd019ffb9e31ff03cc7339bb543eb4f
SHA16c6c6d198fe8154e5962286059c6a200ad54f0b4
SHA256fe4d316b4a2d8733152518b0533f6987b05819cdce6157b6b9355ea80637110a
SHA512a2d775459b05fc8f14fdb5ef867e7c8bb0b07e21536b7b55d26531e8c03caf5d7fe9fab5ed082fb14ee6b7dae935186c9bc37d9d7de7b8bc91ff9583c64055f4
-
Filesize
20KB
MD505b91e614ef43f145efc2997b2b1af39
SHA127c8a6d77874d317d36623c09b6bc60d3e9f4221
SHA25687c24d5ae3ab21740bd87485982e1b526c006669d61f8cac3a5b562ab59f7f19
SHA512380886d532b31bed113480745d33e3207b035df5517f667f391e4807717ca62ced756c542628e609ba5d9aea393244723a3d7e1230d55cb3a4964c1a965559eb
-
Filesize
18KB
MD56b64c135f5f03d2c7d178ce6a7831981
SHA1e1fcde879e515824b458b01d452312d2c41f6be4
SHA25694e8c58b90e10aace4573e2fbc0f7f3b9e441eef96bebe4a702491bbfb10caa4
SHA5128686227861e9ac6d9010202ed93c0b61356022c11c3e4fd85fc45cda5ee967d93ee1e6e5facfe15d433f6fb831ce8b984c822f82f6bb9543bff692efb812c18e
-
Filesize
21KB
MD5520722426e27cfe4aa089a17de31574e
SHA15da29131e4e832629a15796606c81f44a2c014b2
SHA2560b75704d8f5998e8ec6efcb43c33413f85cbba954a215552198986ee7abdf803
SHA51299df881685bcd5b1bbd1028203257103797098fbebf6dd4eb45ada2f9793f542ab13908757ae672bd0aba1a5c8115af4624965fb57904282f27030bdaba6649c
-
Filesize
2.0MB
MD590ef94722bbeb371d8d4fcce820923d6
SHA1c2b90b77fd2673bb4e194c2c7c690675357e3e88
SHA2562916d95150a2b576e786ab3b31ab943b00e44743dda58dac147cb7881d6def66
SHA51234b4fcc3c331c6e983f7184c5c65a4136b33fc111559bbe5ed2d3f4245a7c9a08ff8381f6b60ec8a9a5f5f8c50e1e4847da07419f1ebe5b1554eec6b6f538059
-
Filesize
220KB
MD5d54f9204d02f0e5335239284df3da4ac
SHA1e8f32614d2233e8b89dfb336dbcaadc98720a757
SHA2563aa1c2f52bc7e6567c538b11a855282e7961f116a46ef1a8bf9750e46e88174e
SHA51268a9dcb990ef87a5de0fe86861755ff7d07e331a9bb1e84761c37a5c83f1f741000309a6082631a0e751ba66f2cecfad305b463f93d67d40e415af6289b07fba
-
Filesize
17KB
MD5c50a964eeabcc34352a52ac0b2fecabc
SHA1cd63c3094552bf7d121d7d5806d57d2806c2d8b5
SHA256d6a497acdd1c490e1afea5064aeaaddf64e128c9e7daa3078084f415d037f818
SHA51285fa9ab711199f2e5db72df43db984cdb70630d01bbaa33e2383c2835cf7eb88ae7df760b204d1bb911caabdcc16f7d0f30bf48c1b86cc1f029e5f930e27dfe5