Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 07:13
Behavioral task
behavioral1
Sample
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
-
Size
667KB
-
MD5
193ea6da81b5c7dd4ab6f8d75edacbad
-
SHA1
b7b8efc05cbd82a238230bd0ae424487b0e43df6
-
SHA256
300edf71749edacda3c092d9eb778673c9d7b1c49e215e3ea36ac22f80f74b07
-
SHA512
847c2feca8d9af6f35e93e13b549b1170e05ceb2d475a8496a0df586b8df1dd955ab3f230ad100c734834887256c09349a80a4b2ec34955919ec4b7846cac75a
-
SSDEEP
12288:WbMqmnEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI9EEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
bohost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bohost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
DV245F.exewaace.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DV245F.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" waace.exe -
ModiLoader Second Stage 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2756-10-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/2196-16-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2196-15-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2196-14-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 \Users\Admin\aohost.exe modiloader_stage2 behavioral1/memory/2496-65-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/2196-131-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2196-311-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2036 cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
DV245F.exewaace.exeaohost.exeaohost.exebohost.exedohost.exebohost.exebohost.exepid process 2540 DV245F.exe 2564 waace.exe 2496 aohost.exe 2148 aohost.exe 2616 bohost.exe 736 dohost.exe 880 bohost.exe 1160 bohost.exe -
Loads dropped DLL 10 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeDV245F.exepid process 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2540 DV245F.exe 2540 DV245F.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2196-16-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-15-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-14-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-13-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-12-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-6-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-4-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2196-2-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2148-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2148-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/880-126-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2196-131-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2148-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2616-133-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1160-195-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2616-197-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2616-309-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2196-311-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2616-315-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
Processes:
waace.exebohost.exeDV245F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /A" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /r" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /x" waace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9A6.exe = "C:\\Program Files (x86)\\LP\\8624\\9A6.exe" bohost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /o" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /t" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /O" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /K" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /Z" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /v" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /p" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /m" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /l" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /I" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /U" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /V" DV245F.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /F" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /D" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /h" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /X" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /W" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /a" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /R" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /w" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /n" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /f" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /T" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /g" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /L" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /E" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /N" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /j" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /V" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /P" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /u" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /B" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /q" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /G" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /M" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /b" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /H" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /i" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /C" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /Q" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /Y" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /e" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /k" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /y" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /d" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /S" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /z" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /J" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /c" waace.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\waace = "C:\\Users\\Admin\\waace.exe /s" waace.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aohost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aohost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeaohost.exedescription pid process target process PID 2756 set thread context of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2496 set thread context of 2148 2496 aohost.exe aohost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bohost.exedescription ioc process File created C:\Program Files (x86)\LP\8624\9A6.exe bohost.exe File opened for modification C:\Program Files (x86)\LP\8624\C0C0.tmp bohost.exe File opened for modification C:\Program Files (x86)\LP\8624\9A6.exe bohost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2960 tasklist.exe 1232 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DV245F.exewaace.exeaohost.exebohost.exepid process 2540 DV245F.exe 2540 DV245F.exe 2564 waace.exe 2148 aohost.exe 2564 waace.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2564 waace.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe 2616 bohost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1808 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
tasklist.exemsiexec.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2960 tasklist.exe Token: SeRestorePrivilege 1984 msiexec.exe Token: SeTakeOwnershipPrivilege 1984 msiexec.exe Token: SeSecurityPrivilege 1984 msiexec.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeDebugPrivilege 1232 tasklist.exe Token: SeShutdownPrivilege 1808 explorer.exe Token: SeShutdownPrivilege 1808 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe 1808 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeDV245F.exewaace.exedohost.exepid process 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 2540 DV245F.exe 2564 waace.exe 736 dohost.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeDV245F.execmd.exeaohost.exebohost.execmd.exedescription pid process target process PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2756 wrote to memory of 2196 2756 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2196 wrote to memory of 2540 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 2196 wrote to memory of 2540 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 2196 wrote to memory of 2540 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 2196 wrote to memory of 2540 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 2540 wrote to memory of 2564 2540 DV245F.exe waace.exe PID 2540 wrote to memory of 2564 2540 DV245F.exe waace.exe PID 2540 wrote to memory of 2564 2540 DV245F.exe waace.exe PID 2540 wrote to memory of 2564 2540 DV245F.exe waace.exe PID 2540 wrote to memory of 2652 2540 DV245F.exe cmd.exe PID 2540 wrote to memory of 2652 2540 DV245F.exe cmd.exe PID 2540 wrote to memory of 2652 2540 DV245F.exe cmd.exe PID 2540 wrote to memory of 2652 2540 DV245F.exe cmd.exe PID 2652 wrote to memory of 2960 2652 cmd.exe tasklist.exe PID 2652 wrote to memory of 2960 2652 cmd.exe tasklist.exe PID 2652 wrote to memory of 2960 2652 cmd.exe tasklist.exe PID 2652 wrote to memory of 2960 2652 cmd.exe tasklist.exe PID 2196 wrote to memory of 2496 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 2196 wrote to memory of 2496 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 2196 wrote to memory of 2496 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 2196 wrote to memory of 2496 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2496 wrote to memory of 2148 2496 aohost.exe aohost.exe PID 2196 wrote to memory of 2616 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 2196 wrote to memory of 2616 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 2196 wrote to memory of 2616 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 2196 wrote to memory of 2616 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 2196 wrote to memory of 736 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 2196 wrote to memory of 736 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 2196 wrote to memory of 736 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 2196 wrote to memory of 736 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 2616 wrote to memory of 880 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 880 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 880 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 880 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 1160 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 1160 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 1160 2616 bohost.exe bohost.exe PID 2616 wrote to memory of 1160 2616 bohost.exe bohost.exe PID 2196 wrote to memory of 2036 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 2196 wrote to memory of 2036 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 2196 wrote to memory of 2036 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 2196 wrote to memory of 2036 2196 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 2036 wrote to memory of 1232 2036 cmd.exe tasklist.exe PID 2036 wrote to memory of 1232 2036 cmd.exe tasklist.exe PID 2036 wrote to memory of 1232 2036 cmd.exe tasklist.exe PID 2036 wrote to memory of 1232 2036 cmd.exe tasklist.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bohost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bohost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bohost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\waace.exe"C:\Users\Admin\waace.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\4E53A\9EE86.exe%C:\Users\Admin\AppData\Roaming\4E53A4⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\3A436\lvvm.exe%C:\Program Files (x86)\3A4364⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4E53A\A436.E53Filesize
600B
MD5d51f25747a6cb6ee5103e38ed789fafc
SHA158cfa91bddc6a774f25f7e5adb80a75e4330e7fa
SHA256e78a1be3fc39a7956fbf25ea398edb80ec24775ff92838279b70074f79d88f7f
SHA512f5cabb6238235c0b35ce2dd05baa28c59f6c3b24acfb0205599c352baccc0b0bc3fdef1371bce6fcd09e37ce2e396ceeee79714aeecacb3f35991cb6d360a4c6
-
C:\Users\Admin\AppData\Roaming\4E53A\A436.E53Filesize
996B
MD5416ecdfe4698d01dc8554d95e9678f43
SHA16afd6a26e7ded194c5ceea636217566376191aa4
SHA256e140e4f531e3d0dd46bf30e352d08b46949c2af9ed20662880c2c263cd5923be
SHA5129271232cc0879126f6292723cfd31d1bcc914755101e50f9ce3d4c3ee348a65de7e1ec8a1b427fa8a44e5e47282ed53b15687c7f861aded470052fc504a3b6d3
-
C:\Users\Admin\AppData\Roaming\4E53A\A436.E53Filesize
1KB
MD57c6f57640fc3e8959c56fbf7126cf3a8
SHA1a91d58ed6dae37524bd7485fbd180895d7f0c08e
SHA25613a30ef052bebcbffa0ae3cfe12bbdba77c5ca3ed659ced8e5856a1d96a2265a
SHA512e36af2566037f8259ee47647a9442d146d3add3c19e42951d28a84cae88410ef1646518819211351abe3aa6d5d67557e93c3606dccd23f2b6fb2579dcfb5bd3e
-
C:\Users\Admin\AppData\Roaming\4E53A\A436.E53Filesize
1KB
MD51cf995d2316a2a67ab9283fba547cb09
SHA16c30a1144413a44b8a2d2f3645d785b3399e59ea
SHA25603a3bd8cf4a44105b92b379c8cce4ce41ec18a0bdaac5222020cb9bd3d55a8de
SHA5127a771705dd20ca4b6d30a3aae49f8bf0b11a2aa1568195b14526be06a66ce9982118aca85b55c8b55303d2e9a6db3f8db17d6ba6da45c33d6a33bb3b20b80c0d
-
C:\Users\Admin\AppData\Roaming\4E53A\A436.E53Filesize
300B
MD570235ead2db53155171b367fa831f81b
SHA1f1dca958316e7233eac49122942e653388e0a965
SHA256a821d49c81032e604719bfde364f9f283ca9647499d445347ae96d279d0c4320
SHA512d0d1c911d22b2edaa82ca5145ed2ffbfe80acb75d20380f0340e68713259dc8979f9079ba4ae8327a6c06c6db569601b4a8e530f20f3084b5acec953aa12ae2c
-
\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
\Users\Admin\waace.exeFilesize
216KB
MD5d45c2df5d422e919bf92a9dd7c99140f
SHA1254e7b934d579aba49538cb3794df8a6a0b81701
SHA2561e972f867cd5408171660dcf9fcf6b0eda552bcf72095ae282bf39e14b225db4
SHA512a94dab93389fdaf1a607b0bb497685b3da84986a380a59994fc75a3b5b1b5d0ba1752322d6c01e1f2675d00544d952225849037dcd0ffa2e7447bdc8129510ad
-
memory/880-126-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1160-195-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2148-132-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-58-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-68-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-54-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-67-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2148-62-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2196-12-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-15-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2196-2-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-4-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-6-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-311-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-131-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-0-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-16-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-13-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2196-14-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2496-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2540-45-0x0000000004050000-0x0000000004B0A000-memory.dmpFilesize
10.7MB
-
memory/2616-197-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2616-133-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2616-309-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2616-315-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2756-10-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB