Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 02:15
Behavioral task
behavioral1
Sample
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe
-
Size
667KB
-
MD5
186cfcb4cda2c80706fb9d1e0c9a7ae2
-
SHA1
306d417d4d57b3b8d2ba379250264456d152e3dc
-
SHA256
014ad1e790ce3f6bdcf39afbeec9731bcd48d39e470c80f9270336d9288a2b37
-
SHA512
2b57017135cd0b4db89a0b2a8e823d654cfe11fd322c32ca47403b224c2b8ee4e14784dfa60a040c66b4b36055549e5e7b96843cf66ea88f2c3f2880e749e3a5
-
SSDEEP
12288:WbMqmsEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIOEEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
bohost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bohost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
DV245F.exeboofek.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DV245F.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" boofek.exe -
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2368-11-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 \Users\Admin\aohost.exe modiloader_stage2 behavioral1/memory/2876-63-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1452 cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
DV245F.exeboofek.exeaohost.exeaohost.exebohost.exedohost.exebohost.exebohost.exepid process 2556 DV245F.exe 2804 boofek.exe 2876 aohost.exe 240 aohost.exe 2656 bohost.exe 2040 dohost.exe 2136 bohost.exe 2336 bohost.exe -
Loads dropped DLL 10 IoCs
Processes:
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.exepid process 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2556 DV245F.exe 2556 DV245F.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2792-6-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2792-12-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2792-4-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2792-2-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/240-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/240-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/240-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/240-61-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/240-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/240-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2136-101-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2656-103-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2336-167-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2656-169-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2656-269-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2656-275-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Adds Run key to start application 2 TTPs 52 IoCs
Processes:
DV245F.exeboofek.exebohost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /P" DV245F.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /H" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /U" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /l" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /E" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /O" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /W" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /d" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /J" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Q" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /f" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /x" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /o" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /y" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /X" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Z" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /F" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /h" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /C" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /s" boofek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\E85.exe = "C:\\Program Files (x86)\\LP\\310D\\E85.exe" bohost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /r" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /n" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /q" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /L" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /B" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /S" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /N" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /P" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /I" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /m" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /z" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /a" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /t" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /k" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /b" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /K" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /V" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /M" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /i" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /c" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /w" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /R" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /T" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /v" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /g" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /Y" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /e" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /G" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /p" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /j" boofek.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boofek = "C:\\Users\\Admin\\boofek.exe /A" boofek.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aohost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aohost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeaohost.exedescription pid process target process PID 2368 set thread context of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2876 set thread context of 240 2876 aohost.exe aohost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bohost.exedescription ioc process File created C:\Program Files (x86)\LP\310D\E85.exe bohost.exe File opened for modification C:\Program Files (x86)\LP\310D\C552.tmp bohost.exe File opened for modification C:\Program Files (x86)\LP\310D\E85.exe bohost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2596 tasklist.exe 1596 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DV245F.exeboofek.exeaohost.exebohost.exepid process 2556 DV245F.exe 2556 DV245F.exe 2804 boofek.exe 2804 boofek.exe 240 aohost.exe 2804 boofek.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2804 boofek.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe 2656 bohost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2456 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
tasklist.exemsiexec.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2596 tasklist.exe Token: SeRestorePrivilege 1432 msiexec.exe Token: SeTakeOwnershipPrivilege 1432 msiexec.exe Token: SeSecurityPrivilege 1432 msiexec.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeDebugPrivilege 1596 tasklist.exe Token: SeShutdownPrivilege 2456 explorer.exe Token: SeShutdownPrivilege 2456 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe 2456 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.exeboofek.exedohost.exepid process 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 2556 DV245F.exe 2804 boofek.exe 2040 dohost.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exeDV245F.execmd.exeaohost.exebohost.execmd.exedescription pid process target process PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2368 wrote to memory of 2792 2368 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe PID 2792 wrote to memory of 2556 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe DV245F.exe PID 2792 wrote to memory of 2556 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe DV245F.exe PID 2792 wrote to memory of 2556 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe DV245F.exe PID 2792 wrote to memory of 2556 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe DV245F.exe PID 2556 wrote to memory of 2804 2556 DV245F.exe boofek.exe PID 2556 wrote to memory of 2804 2556 DV245F.exe boofek.exe PID 2556 wrote to memory of 2804 2556 DV245F.exe boofek.exe PID 2556 wrote to memory of 2804 2556 DV245F.exe boofek.exe PID 2556 wrote to memory of 2564 2556 DV245F.exe cmd.exe PID 2556 wrote to memory of 2564 2556 DV245F.exe cmd.exe PID 2556 wrote to memory of 2564 2556 DV245F.exe cmd.exe PID 2556 wrote to memory of 2564 2556 DV245F.exe cmd.exe PID 2564 wrote to memory of 2596 2564 cmd.exe tasklist.exe PID 2564 wrote to memory of 2596 2564 cmd.exe tasklist.exe PID 2564 wrote to memory of 2596 2564 cmd.exe tasklist.exe PID 2564 wrote to memory of 2596 2564 cmd.exe tasklist.exe PID 2792 wrote to memory of 2876 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe aohost.exe PID 2792 wrote to memory of 2876 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe aohost.exe PID 2792 wrote to memory of 2876 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe aohost.exe PID 2792 wrote to memory of 2876 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2876 wrote to memory of 240 2876 aohost.exe aohost.exe PID 2792 wrote to memory of 2656 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe bohost.exe PID 2792 wrote to memory of 2656 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe bohost.exe PID 2792 wrote to memory of 2656 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe bohost.exe PID 2792 wrote to memory of 2656 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe bohost.exe PID 2792 wrote to memory of 2040 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe dohost.exe PID 2792 wrote to memory of 2040 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe dohost.exe PID 2792 wrote to memory of 2040 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe dohost.exe PID 2792 wrote to memory of 2040 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe dohost.exe PID 2656 wrote to memory of 2136 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2136 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2136 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2136 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2336 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2336 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2336 2656 bohost.exe bohost.exe PID 2656 wrote to memory of 2336 2656 bohost.exe bohost.exe PID 2792 wrote to memory of 1452 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe cmd.exe PID 2792 wrote to memory of 1452 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe cmd.exe PID 2792 wrote to memory of 1452 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe cmd.exe PID 2792 wrote to memory of 1452 2792 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe cmd.exe PID 1452 wrote to memory of 1596 1452 cmd.exe tasklist.exe PID 1452 wrote to memory of 1596 1452 cmd.exe tasklist.exe PID 1452 wrote to memory of 1596 1452 cmd.exe tasklist.exe PID 1452 wrote to memory of 1596 1452 cmd.exe tasklist.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bohost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bohost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bohost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\boofek.exe"C:\Users\Admin\boofek.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\DB8BF\53731.exe%C:\Users\Admin\AppData\Roaming\DB8BF4⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\BFFED\lvvm.exe%C:\Program Files (x86)\BFFED4⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 186cfcb4cda2c80706fb9d1e0c9a7ae2_JaffaCakes118.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8BFilesize
600B
MD5a1121e5ecf6fb3921aa0d8c42c3c1989
SHA123273dea591ddbcf9be65ea2f7f043aa54e2eed5
SHA25604b24d19d13f37f865591b4bf43fd83bc27210e17dd90e6698a11c7d151a2b7a
SHA5129710477b44f65e21735fb71d1875f1218be9ec18cd6dc3871add1dc286262dbe58c1a19c6929da2683bed753b67c11c5d4a3bb174e954e962cb9160df81743cd
-
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8BFilesize
996B
MD55e4fa84bc317cf15d5f452c36ca4691a
SHA11e7a4ccc2fbd81202ead80b823bcc503b8e75015
SHA25663847c01baf5bf18d0a82a32b832053353ab2edaded1d833e2ed58728fe62f8c
SHA512a0680a4d6330cab1ff3d7baae3f45d8afe6e980efed549f853420cfcdfd6539f4e7e68bcaa0736b1667ee13fe9452dcaa7d31664a1db9f516868d58039171d3d
-
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8BFilesize
1KB
MD5a386659e44c4d9cf7c4a77e37effe1f2
SHA141ab82ccaabbb12dbe0a467a76c458b9f45048ff
SHA256481c09298989a35dcdb9afe952566514e12dd568e0515164cfcaf627cfb08d12
SHA5120da0d873e39699cade14f5e030e8a41dddb34aaed3bad7f9624ecca75df1d1bcd17f7b784a393c2bfb1e3e4876143f070d34c76623767db0a0200563212aee28
-
C:\Users\Admin\AppData\Roaming\DB8BF\FFED.B8BFilesize
1KB
MD5e0d638ae0e75100c1cb70ef38ee8c92b
SHA1fdc0ce88721a62c5c6d9130b41d1df565097f64c
SHA256e0b8f0517b6f1417dd2511ce5aaf3913a1762a6bf735f34e79f717fa292441e6
SHA5129471a02c8b2448b7e9f047b0edd0d1c8926b27dcee1b190ee926913c93c39aaef4decd64d8d502d21f4d2d526870dc5cf2c176019b571dca7daaf23a8aa2a87b
-
\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
\Users\Admin\boofek.exeFilesize
216KB
MD55624f404c4b9bfb034e7b17b22eb78bd
SHA18bec015f927c645ae74e73b9712934eaac045a9a
SHA256a32f602a3432b38373e9d73da719d99a5b820b6741050b3675208a4d41bfa82e
SHA512e2808013cd4696d10808334760ef39ad309e4d2e5e8789a9820c5c5c2610b4680938a2b847b5e6a953c47d980ab6eb0434b9973afd3c8aa9dfebd8aa06f53a15
-
\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
memory/240-55-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-57-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-61-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-66-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-53-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-68-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/240-67-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2136-101-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2336-167-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2368-11-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2556-44-0x00000000041B0000-0x0000000004C6A000-memory.dmpFilesize
10.7MB
-
memory/2656-103-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2656-275-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2656-269-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2656-169-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2792-4-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-6-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-12-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-89-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2792-15-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-13-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-2-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-271-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2792-0-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2876-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB