Analysis
-
max time kernel
122s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
22/05/2025, 18:04
Behavioral task
behavioral1
Sample
JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
Resource
win11-20250502-en
General
-
Target
JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
-
Size
2.2MB
-
MD5
07c4e640cab5f98750ca5adacef9c814
-
SHA1
4acc32d617fb9e87480005a3faea95e36fc50a4c
-
SHA256
e473363480c89b271e7165a41c606644639226749a51fc2b3ea6a302a7579c96
-
SHA512
8c1b4105e83e5cd9ac5456ba06eb571c2f53c58167920cc0da3c257c095e35096409669b2e8d8695dfc2fa2cef63d1c9969e59986111116205dced77910ed2c9
-
SSDEEP
24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ7:0UzeyQMS4DqodCnoe+iitjWwwv
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Detects Mofksys worm 64 IoCs
resource yara_rule behavioral1/memory/5004-50-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5004-51-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5004-74-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2532-119-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2532-286-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/820-556-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/556-573-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3788-579-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4796-590-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1148-598-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2324-610-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4904-620-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/820-628-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2136-659-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4184-667-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5012-678-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4772-694-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2136-727-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1364-741-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1472-753-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2304-771-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1364-799-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2172-817-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3016-822-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3340-835-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2172-872-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4980-887-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5240-897-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5240-901-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4580-974-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2852-998-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2376-1014-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2780-1035-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4580-1046-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3132-1058-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4076-1075-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5524-1084-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5524-1088-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3132-1101-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2004-1138-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3924-1194-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2096-1271-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1332-1301-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5964-1347-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4388-1370-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5964-1393-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2320-1424-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5664-1461-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5672-1502-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2532-1501-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/960-1513-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/5672-1541-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1636-1588-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1376-1601-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3056-1652-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/1932-1684-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2540-1714-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/2540-1742-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/672-1802-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/424-1809-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4144-1818-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4784-1850-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/4932-1872-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys behavioral1/memory/3360-1904-0x0000000000400000-0x000000000043E000-memory.dmp family_mofksys -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Mofksys family
-
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\explorer.exe taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 560 explorer.exe 2532 explorer.exe 2512 spoolsv.exe 2536 spoolsv.exe 5348 explorer.exe 2760 spoolsv.exe 1244 spoolsv.exe 5440 spoolsv.exe 2296 spoolsv.exe 1308 spoolsv.exe 3536 spoolsv.exe 5552 spoolsv.exe 2700 spoolsv.exe 2988 spoolsv.exe 3344 spoolsv.exe 1780 spoolsv.exe 4924 spoolsv.exe 3336 spoolsv.exe 2208 spoolsv.exe 2716 spoolsv.exe 5080 spoolsv.exe 4256 spoolsv.exe 5092 spoolsv.exe 4952 spoolsv.exe 484 spoolsv.exe 2356 spoolsv.exe 4520 spoolsv.exe 904 spoolsv.exe 432 spoolsv.exe 4640 spoolsv.exe 1456 spoolsv.exe 1704 spoolsv.exe 3960 spoolsv.exe 820 spoolsv.exe 796 explorer.exe 3788 explorer.exe 556 spoolsv.exe 4796 spoolsv.exe 1148 spoolsv.exe 2324 spoolsv.exe 4904 spoolsv.exe 2720 spoolsv.exe 2136 spoolsv.exe 5020 explorer.exe 4184 spoolsv.exe 5012 spoolsv.exe 2736 spoolsv.exe 4772 spoolsv.exe 1364 spoolsv.exe 5368 explorer.exe 1472 spoolsv.exe 1284 spoolsv.exe 2304 spoolsv.exe 2172 spoolsv.exe 6092 explorer.exe 3016 spoolsv.exe 3340 spoolsv.exe 3864 spoolsv.exe 4980 spoolsv.exe 5996 explorer.exe 5240 spoolsv.exe 5992 spoolsv.exe 5044 spoolsv.exe 4528 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 36 IoCs
description pid Process procid_target PID 3328 set thread context of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 560 set thread context of 2532 560 explorer.exe 87 PID 2512 set thread context of 820 2512 spoolsv.exe 123 PID 5348 set thread context of 3788 5348 explorer.exe 125 PID 2536 set thread context of 556 2536 spoolsv.exe 126 PID 2760 set thread context of 4796 2760 spoolsv.exe 127 PID 1244 set thread context of 1148 1244 spoolsv.exe 128 PID 5440 set thread context of 2324 5440 spoolsv.exe 129 PID 2296 set thread context of 4904 2296 spoolsv.exe 130 PID 1308 set thread context of 2136 1308 spoolsv.exe 132 PID 3536 set thread context of 4184 3536 spoolsv.exe 134 PID 5552 set thread context of 5012 5552 spoolsv.exe 135 PID 2700 set thread context of 4772 2700 spoolsv.exe 137 PID 2988 set thread context of 1364 2988 spoolsv.exe 138 PID 3344 set thread context of 1472 3344 spoolsv.exe 140 PID 1780 set thread context of 2304 1780 spoolsv.exe 142 PID 4924 set thread context of 2172 4924 spoolsv.exe 143 PID 3336 set thread context of 3016 3336 spoolsv.exe 145 PID 2208 set thread context of 3340 2208 spoolsv.exe 146 PID 2716 set thread context of 4980 2716 spoolsv.exe 148 PID 5080 set thread context of 5240 5080 spoolsv.exe 150 PID 4256 set thread context of 5992 4256 spoolsv.exe 151 PID 5092 set thread context of 4528 5092 spoolsv.exe 153 PID 4952 set thread context of 4580 4952 spoolsv.exe 154 PID 484 set thread context of 2852 484 spoolsv.exe 156 PID 2356 set thread context of 2376 2356 spoolsv.exe 157 PID 4520 set thread context of 2780 4520 spoolsv.exe 159 PID 904 set thread context of 3132 904 spoolsv.exe 160 PID 432 set thread context of 4076 432 spoolsv.exe 163 PID 4640 set thread context of 5524 4640 spoolsv.exe 164 PID 1456 set thread context of 2004 1456 spoolsv.exe 166 PID 1704 set thread context of 3924 1704 spoolsv.exe 170 PID 796 set thread context of 2096 796 explorer.exe 177 PID 3960 set thread context of 1332 3960 spoolsv.exe 178 PID 2720 set thread context of 5964 2720 spoolsv.exe 182 PID 5020 set thread context of 4388 5020 explorer.exe 185 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 1816 taskmgr.exe 2532 explorer.exe 2532 explorer.exe 2532 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1816 taskmgr.exe Token: SeSystemProfilePrivilege 1816 taskmgr.exe Token: SeCreateGlobalPrivilege 1816 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe 1816 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 2532 explorer.exe 2532 explorer.exe 2532 explorer.exe 2532 explorer.exe 820 spoolsv.exe 820 spoolsv.exe 556 spoolsv.exe 556 spoolsv.exe 3788 explorer.exe 3788 explorer.exe 4796 spoolsv.exe 4796 spoolsv.exe 1148 spoolsv.exe 1148 spoolsv.exe 2324 spoolsv.exe 2324 spoolsv.exe 4904 spoolsv.exe 4904 spoolsv.exe 2136 spoolsv.exe 2136 spoolsv.exe 4184 spoolsv.exe 4184 spoolsv.exe 5012 spoolsv.exe 5012 spoolsv.exe 4772 spoolsv.exe 4772 spoolsv.exe 1364 spoolsv.exe 1364 spoolsv.exe 1472 spoolsv.exe 1472 spoolsv.exe 2304 spoolsv.exe 2304 spoolsv.exe 2172 spoolsv.exe 2172 spoolsv.exe 3340 spoolsv.exe 3340 spoolsv.exe 4980 spoolsv.exe 4980 spoolsv.exe 5240 spoolsv.exe 5240 spoolsv.exe 5992 spoolsv.exe 5992 spoolsv.exe 4528 spoolsv.exe 4528 spoolsv.exe 4580 spoolsv.exe 4580 spoolsv.exe 2852 spoolsv.exe 2852 spoolsv.exe 2376 spoolsv.exe 2376 spoolsv.exe 2780 spoolsv.exe 2780 spoolsv.exe 3132 spoolsv.exe 3132 spoolsv.exe 4076 spoolsv.exe 4076 spoolsv.exe 5524 spoolsv.exe 5524 spoolsv.exe 2004 spoolsv.exe 2004 spoolsv.exe 3924 spoolsv.exe 3924 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3328 wrote to memory of 4212 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 78 PID 3328 wrote to memory of 4212 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 78 PID 3328 wrote to memory of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 3328 wrote to memory of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 3328 wrote to memory of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 3328 wrote to memory of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 3328 wrote to memory of 5004 3328 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 82 PID 5004 wrote to memory of 560 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 83 PID 5004 wrote to memory of 560 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 83 PID 5004 wrote to memory of 560 5004 JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe 83 PID 560 wrote to memory of 2532 560 explorer.exe 87 PID 560 wrote to memory of 2532 560 explorer.exe 87 PID 560 wrote to memory of 2532 560 explorer.exe 87 PID 560 wrote to memory of 2532 560 explorer.exe 87 PID 560 wrote to memory of 2532 560 explorer.exe 87 PID 2532 wrote to memory of 2512 2532 explorer.exe 88 PID 2532 wrote to memory of 2512 2532 explorer.exe 88 PID 2532 wrote to memory of 2512 2532 explorer.exe 88 PID 2532 wrote to memory of 2536 2532 explorer.exe 93 PID 2532 wrote to memory of 2536 2532 explorer.exe 93 PID 2532 wrote to memory of 2536 2532 explorer.exe 93 PID 6060 wrote to memory of 5348 6060 cmd.exe 94 PID 6060 wrote to memory of 5348 6060 cmd.exe 94 PID 6060 wrote to memory of 5348 6060 cmd.exe 94 PID 2532 wrote to memory of 2760 2532 explorer.exe 95 PID 2532 wrote to memory of 2760 2532 explorer.exe 95 PID 2532 wrote to memory of 2760 2532 explorer.exe 95 PID 2532 wrote to memory of 1244 2532 explorer.exe 96 PID 2532 wrote to memory of 1244 2532 explorer.exe 96 PID 2532 wrote to memory of 1244 2532 explorer.exe 96 PID 2532 wrote to memory of 5440 2532 explorer.exe 97 PID 2532 wrote to memory of 5440 2532 explorer.exe 97 PID 2532 wrote to memory of 5440 2532 explorer.exe 97 PID 2532 wrote to memory of 2296 2532 explorer.exe 98 PID 2532 wrote to memory of 2296 2532 explorer.exe 98 PID 2532 wrote to memory of 2296 2532 explorer.exe 98 PID 2532 wrote to memory of 1308 2532 explorer.exe 99 PID 2532 wrote to memory of 1308 2532 explorer.exe 99 PID 2532 wrote to memory of 1308 2532 explorer.exe 99 PID 2532 wrote to memory of 3536 2532 explorer.exe 100 PID 2532 wrote to memory of 3536 2532 explorer.exe 100 PID 2532 wrote to memory of 3536 2532 explorer.exe 100 PID 2532 wrote to memory of 5552 2532 explorer.exe 101 PID 2532 wrote to memory of 5552 2532 explorer.exe 101 PID 2532 wrote to memory of 5552 2532 explorer.exe 101 PID 2532 wrote to memory of 2700 2532 explorer.exe 102 PID 2532 wrote to memory of 2700 2532 explorer.exe 102 PID 2532 wrote to memory of 2700 2532 explorer.exe 102 PID 2532 wrote to memory of 2988 2532 explorer.exe 103 PID 2532 wrote to memory of 2988 2532 explorer.exe 103 PID 2532 wrote to memory of 2988 2532 explorer.exe 103 PID 2532 wrote to memory of 3344 2532 explorer.exe 104 PID 2532 wrote to memory of 3344 2532 explorer.exe 104 PID 2532 wrote to memory of 3344 2532 explorer.exe 104 PID 2532 wrote to memory of 1780 2532 explorer.exe 105 PID 2532 wrote to memory of 1780 2532 explorer.exe 105 PID 2532 wrote to memory of 1780 2532 explorer.exe 105 PID 2532 wrote to memory of 4924 2532 explorer.exe 106 PID 2532 wrote to memory of 4924 2532 explorer.exe 106 PID 2532 wrote to memory of 4924 2532 explorer.exe 106 PID 2532 wrote to memory of 3336 2532 explorer.exe 107 PID 2532 wrote to memory of 3336 2532 explorer.exe 107 PID 2532 wrote to memory of 3336 2532 explorer.exe 107 PID 2532 wrote to memory of 2208 2532 explorer.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:820 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:796 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2296 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1308 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5020 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵
- System Location Discovery: System Language Discovery
PID:4388
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3536 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5552 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4772
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1364 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5368 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5664
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1780 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2172 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6092 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:960
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3336 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2716 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5996 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1636
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5080 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4256 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5992
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4952 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4580 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3060 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1932
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:484 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2356 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4520 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3132 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3276 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:424
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4640 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1456 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2004 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
PID:5452 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:5548
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3924 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5104 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:4932
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:1332 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:896 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:1564
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵
- System Location Discovery: System Language Discovery
PID:5964 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"8⤵PID:564
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2320
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4272
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1284 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5672
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2396
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3864 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1376
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:4560
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3056
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2084
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5236 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2540
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:2036
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:672
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:1972
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3052 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3444 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4780 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2228 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5472
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:5848 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3348
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:1848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:3180 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3360
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:248 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:2972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:2648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:3800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- Drops file in Windows directory
PID:1512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:4372
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe7⤵PID:3604
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵
- System Location Discovery: System Language Discovery
PID:3728 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"6⤵PID:5232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1608
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4880
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1808
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:624
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3128
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:4544
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:6096
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5008
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5944
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:5604
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:2680
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:3100
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE5⤵PID:1112
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:5840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2224
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\explorer.exe RO1⤵
- Suspicious use of WriteProcessMemory
PID:6060 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe RO2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5348 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\system\svchost.exe RO1⤵PID:1436
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_07c4e640cab5f98750ca5adacef9c814.exe
Filesize2.2MB
MD507c4e640cab5f98750ca5adacef9c814
SHA14acc32d617fb9e87480005a3faea95e36fc50a4c
SHA256e473363480c89b271e7165a41c606644639226749a51fc2b3ea6a302a7579c96
SHA5128c1b4105e83e5cd9ac5456ba06eb571c2f53c58167920cc0da3c257c095e35096409669b2e8d8695dfc2fa2cef63d1c9969e59986111116205dced77910ed2c9
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.2MB
MD5db9ab672c2f43b8340a59f2e56cdcccc
SHA1dae282efd250ac51111a8bb713046704223623ea
SHA2561bd2cf13501b89281d3257b304a708b367654010b76cfc200fb73b8f2fe2ba6c
SHA512c531b3441a232d9616804947f1e91884b7c01f919e12898c17c8eeba00869fd1154eb37c39e3f4de836266ad5acc0c17bc1ea53ee288a4b5b394436d0ad0052b
-
Filesize
2.2MB
MD5a0a3761b833079783b9cc09871050213
SHA1aa9e8a215ff160aacdf5240a870ae04185fd48d8
SHA256f91d94359d06e22faf90258833f93514822c36efff30c0831fd95adc726ddca3
SHA5128c0be6680df486d681910cba4403f541fd8c61fc12dc4a58f53a1e76db3e72a4a4a1f46d75fafccb5bf7f9483faa1a5d28682bb5e36d6c668fa72c0344e44468