Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 08:13
Behavioral task
behavioral1
Sample
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe
-
Size
667KB
-
MD5
19692ed7b4d90397bb54fb483823e32c
-
SHA1
4bb7b5a2cea25d928f22a799d9edeaf8806eb012
-
SHA256
6862bae6ba9e69a63484969adc77f3742d3ff10181560effd9902b193901613e
-
SHA512
ceaf30d1257dd0f7abef3f03db33496b1ea86ca8f8deea123728baa4a104108e97dd9a7b2695e2efbfa81a48ef26e8c4e0ff52dbf83b27fc4389ca456f455ad4
-
SSDEEP
12288:WbMqmwEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI+EEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
bohost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bohost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
DV245F.exeziuowi.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DV245F.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziuowi.exe -
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral1/memory/788-9-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral1/memory/2072-14-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2072-13-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 \Users\Admin\aohost.exe modiloader_stage2 behavioral1/memory/2568-62-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral1/memory/2072-88-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral1/memory/2072-197-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2216 cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
DV245F.exeziuowi.exeaohost.exeaohost.exebohost.exedohost.exebohost.exebohost.exepid process 292 DV245F.exe 2712 ziuowi.exe 2568 aohost.exe 2288 aohost.exe 1848 bohost.exe 1620 dohost.exe 828 bohost.exe 1916 bohost.exe -
Loads dropped DLL 10 IoCs
Processes:
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exeDV245F.exepid process 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 292 DV245F.exe 292 DV245F.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2072-14-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2072-13-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2072-12-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2072-5-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2072-3-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2072-2-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2288-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2288-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/2072-88-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/2288-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral1/memory/1848-90-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/828-105-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1848-193-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/2072-197-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral1/memory/1848-199-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1916-206-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1848-208-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1848-263-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral1/memory/1848-284-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
Processes:
ziuowi.exebohost.exeDV245F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /g" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /P" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /e" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /t" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /d" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /l" ziuowi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\848.exe = "C:\\Program Files (x86)\\LP\\518F\\848.exe" bohost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /G" DV245F.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /m" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /c" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /N" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /L" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /O" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /J" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /M" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /R" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /j" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /v" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /w" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /E" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /D" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /n" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /p" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /H" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /Q" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /z" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /i" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /Z" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /X" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /o" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /r" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /b" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /k" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /V" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /h" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /I" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /T" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /U" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /y" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /a" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /G" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /F" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /s" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /C" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /K" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /W" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /f" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /B" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /x" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /S" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /q" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /u" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /A" ziuowi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ziuowi = "C:\\Users\\Admin\\ziuowi.exe /Y" ziuowi.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aohost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aohost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exeaohost.exedescription pid process target process PID 788 set thread context of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 2568 set thread context of 2288 2568 aohost.exe aohost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bohost.exedescription ioc process File created C:\Program Files (x86)\LP\518F\848.exe bohost.exe File opened for modification C:\Program Files (x86)\LP\518F\C571.tmp bohost.exe File opened for modification C:\Program Files (x86)\LP\518F\848.exe bohost.exe -
Drops file in Windows directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2660 tasklist.exe 1896 tasklist.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DV245F.exeziuowi.exeaohost.exebohost.exepid process 292 DV245F.exe 292 DV245F.exe 2712 ziuowi.exe 2712 ziuowi.exe 2288 aohost.exe 2712 ziuowi.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 2712 ziuowi.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe 1848 bohost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2100 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
tasklist.exemsiexec.exeexplorer.exetasklist.exedescription pid process Token: SeDebugPrivilege 2660 tasklist.exe Token: SeRestorePrivilege 1940 msiexec.exe Token: SeTakeOwnershipPrivilege 1940 msiexec.exe Token: SeSecurityPrivilege 1940 msiexec.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeDebugPrivilege 1896 tasklist.exe Token: SeShutdownPrivilege 2100 explorer.exe Token: SeShutdownPrivilege 2100 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe 2100 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exeDV245F.exeziuowi.exedohost.exepid process 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 292 DV245F.exe 2712 ziuowi.exe 1620 dohost.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exeDV245F.execmd.exeaohost.exebohost.execmd.exedescription pid process target process PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 788 wrote to memory of 2072 788 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe PID 2072 wrote to memory of 292 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe DV245F.exe PID 2072 wrote to memory of 292 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe DV245F.exe PID 2072 wrote to memory of 292 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe DV245F.exe PID 2072 wrote to memory of 292 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe DV245F.exe PID 292 wrote to memory of 2712 292 DV245F.exe ziuowi.exe PID 292 wrote to memory of 2712 292 DV245F.exe ziuowi.exe PID 292 wrote to memory of 2712 292 DV245F.exe ziuowi.exe PID 292 wrote to memory of 2712 292 DV245F.exe ziuowi.exe PID 292 wrote to memory of 2672 292 DV245F.exe cmd.exe PID 292 wrote to memory of 2672 292 DV245F.exe cmd.exe PID 292 wrote to memory of 2672 292 DV245F.exe cmd.exe PID 292 wrote to memory of 2672 292 DV245F.exe cmd.exe PID 2672 wrote to memory of 2660 2672 cmd.exe tasklist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe tasklist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe tasklist.exe PID 2672 wrote to memory of 2660 2672 cmd.exe tasklist.exe PID 2072 wrote to memory of 2568 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe aohost.exe PID 2072 wrote to memory of 2568 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe aohost.exe PID 2072 wrote to memory of 2568 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe aohost.exe PID 2072 wrote to memory of 2568 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2568 wrote to memory of 2288 2568 aohost.exe aohost.exe PID 2072 wrote to memory of 1848 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe bohost.exe PID 2072 wrote to memory of 1848 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe bohost.exe PID 2072 wrote to memory of 1848 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe bohost.exe PID 2072 wrote to memory of 1848 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe bohost.exe PID 2072 wrote to memory of 1620 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe dohost.exe PID 2072 wrote to memory of 1620 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe dohost.exe PID 2072 wrote to memory of 1620 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe dohost.exe PID 2072 wrote to memory of 1620 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe dohost.exe PID 1848 wrote to memory of 828 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 828 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 828 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 828 1848 bohost.exe bohost.exe PID 2072 wrote to memory of 2216 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe cmd.exe PID 2072 wrote to memory of 2216 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe cmd.exe PID 2072 wrote to memory of 2216 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe cmd.exe PID 2072 wrote to memory of 2216 2072 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe cmd.exe PID 2216 wrote to memory of 1896 2216 cmd.exe tasklist.exe PID 2216 wrote to memory of 1896 2216 cmd.exe tasklist.exe PID 2216 wrote to memory of 1896 2216 cmd.exe tasklist.exe PID 2216 wrote to memory of 1896 2216 cmd.exe tasklist.exe PID 1848 wrote to memory of 1916 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 1916 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 1916 1848 bohost.exe bohost.exe PID 1848 wrote to memory of 1916 1848 bohost.exe bohost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bohost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bohost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bohost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ziuowi.exe"C:\Users\Admin\ziuowi.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\F79A4\78A51.exe%C:\Users\Admin\AppData\Roaming\F79A44⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\A42DB\lvvm.exe%C:\Program Files (x86)\A42DB4⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 19692ed7b4d90397bb54fb483823e32c_JaffaCakes118.exe3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
600B
MD5c1480fcf9b4e9a1e343814dc702023de
SHA1c43d414a4443cb2f37c7d93e79495fe1f89e1c6b
SHA25647377d67e5ac16b096b9e152101bab70767d95609e4c64422c35a69b407e92a2
SHA512468441f13f75ceb15d1c272b060976cd72e728f718f68b871f4130d2a98fccceb55a3dbd33a5fe0163e7e2f6583c1d19f24e9aecbcd249bff30ca33bba5be131
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
897B
MD5218824d1ef805544d473f2751e81d5e2
SHA1bb9aa76fb4a4ee729ea1550088b8563167142504
SHA256f79bc4c6f96f0ee895a3cbb2822f615f209ca0e5f32bbc5b4585ae99bfeadbe0
SHA51230b494be62e0ed25b9275eb5e9ef81411227cc8904351c2b23fd5591bac5987ad8b3c055f574e57cf6ffe9ea8cd61fdb3b64bf774598fffcc7da80b8ca1b5767
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
1KB
MD5449516e1ab6766e2606bc96c9460519c
SHA180ce11ba8958c675793fc44e6ab868f26e855481
SHA2562abe183cdf7051f9300cca7ff27e31bd288be0347917d1cf057cd56b54062db3
SHA5128efdd58e81bd33dbb07a0755cb557aaf8b44766360b64eba4a7304db290f3b632a4913d39e4bdf9c1bfd721c478f0b32d93375ea1d869e4afe44d2490712f7b4
-
C:\Users\Admin\AppData\Roaming\F79A4\42DB.79AFilesize
1KB
MD5bd7f4d72a2f966d2c1402678ae1dbac3
SHA1e81dae09fb7d6980f216c583c22ef09dbe8011e8
SHA256c423904360e380c9d81fc525f7710a9d1117554feced551248788f0b1b73a7c8
SHA512b64db631714a7580e139b1215779d62090a8987c3cc63d900a8172fd2d949501ae1904f48518d8cfef5cc273b5c9101e34b6ce0ee1c44e69dcff10c8aa6bad03
-
\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
\Users\Admin\ziuowi.exeFilesize
216KB
MD5d9862af1e4ae6207c43fae17eb2b11e8
SHA111a44a700a4ed6d534b2d2426c3bbc3a65337134
SHA2565ae2551e18dfe8d97c6ff29a9a9517a47dd5005b222d1c812ba41ec24253e810
SHA5121849bee8be72996d54ee42ce58c92d0dbae6d04781e4ec63150a6901b95580b334058513c3b276d7b80cd83cacb7d352586329191fda856accf3814f9cdebf5d
-
memory/292-43-0x00000000040D0000-0x0000000004B8A000-memory.dmpFilesize
10.7MB
-
memory/788-9-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/828-105-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-193-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-199-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-284-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-263-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-208-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1848-90-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1916-206-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2072-13-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-197-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-12-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-1-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-88-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-3-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-14-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-2-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2072-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2072-5-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/2288-54-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-52-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-67-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-60-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-65-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-89-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2288-66-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2568-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB