Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 10:28
Static task
static1
Behavioral task
behavioral1
Sample
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe
-
Size
7.7MB
-
MD5
19c9bec1f75d5ca7edb86310660a6c7b
-
SHA1
2ff805f3f29ea16e0dad096de62c7ce87ca9357a
-
SHA256
1ded4c387a4292edcf04a920c5e129a74dc246f2cf2785561b708dacb554cf96
-
SHA512
dd944946244d1b90bae729dc714cf0fe579d28983eace8341f0910bd71590f35c7a76a8b2528fea0050fd96d2b0503b7f7082e12a29e2608b185d956cb52c72b
-
SSDEEP
196608:U3GEEoPZJSRkkcj8aNGLtQhGEEoPZJSRkkcj8aNGLtQM:U3GEdPuktIiGEdPuktIz
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 17 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CCleaner.exe modiloader_stage2 behavioral2/memory/4348-46-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/2532-28-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-66-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-69-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-72-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-75-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-78-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-81-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-84-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-87-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-90-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-93-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-96-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-99-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-102-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 behavioral2/memory/1416-105-0x0000000000400000-0x000000000044B000-memory.dmp modiloader_stage2 -
Disables RegEdit via registry modification 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation CCleaner.exe -
Executes dropped EXE 5 IoCs
Processes:
CCleaner.exemstwain32.execcsetup236.exeCCleaner.execcsetup236.exepid process 2532 CCleaner.exe 1416 mstwain32.exe 4220 ccsetup236.exe 4348 CCleaner.exe 440 ccsetup236.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe -
Loads dropped DLL 6 IoCs
Processes:
mstwain32.exe19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exepid process 1416 mstwain32.exe 1416 mstwain32.exe 1416 mstwain32.exe 1416 mstwain32.exe 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
CCleaner.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CCleaner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
CCleaner.exemstwain32.exedescription ioc process File created C:\Windows\mstwain32.exe CCleaner.exe File opened for modification C:\Windows\mstwain32.exe CCleaner.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe nsis_installer_2 -
Modifies registry class 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings rundll32.exe -
Modifies registry key 1 TTPs 20 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4036 reg.exe 3568 reg.exe 2076 reg.exe 2620 reg.exe 4508 reg.exe 1148 reg.exe 2544 reg.exe 3572 reg.exe 2176 reg.exe 4720 reg.exe 436 reg.exe 1928 reg.exe 4084 reg.exe 2192 reg.exe 2604 reg.exe 2976 reg.exe 4972 reg.exe 2640 reg.exe 3616 reg.exe 2488 reg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CCleaner.exemstwain32.exe19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2532 CCleaner.exe Token: SeDebugPrivilege 1416 mstwain32.exe Token: SeDebugPrivilege 1416 mstwain32.exe Token: SeDebugPrivilege 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exemstwain32.exepid process 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe 1416 mstwain32.exe 1416 mstwain32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exeCCleaner.execmd.execcsetup236.execmd.exedescription pid process target process PID 1668 wrote to memory of 2532 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 1668 wrote to memory of 2532 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 1668 wrote to memory of 2532 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 1668 wrote to memory of 5060 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 5060 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 5060 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2896 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2896 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2896 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2584 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2584 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2584 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 3376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 3376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 3376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2992 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2992 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2992 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 2532 wrote to memory of 1416 2532 CCleaner.exe mstwain32.exe PID 2532 wrote to memory of 1416 2532 CCleaner.exe mstwain32.exe PID 2532 wrote to memory of 1416 2532 CCleaner.exe mstwain32.exe PID 1668 wrote to memory of 4220 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 1668 wrote to memory of 4220 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 1668 wrote to memory of 4220 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe ccsetup236.exe PID 1668 wrote to memory of 1948 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1948 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1948 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1744 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1744 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1744 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 4492 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 4492 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 4492 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1376 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1052 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1052 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 1052 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 5060 wrote to memory of 2076 5060 cmd.exe reg.exe PID 5060 wrote to memory of 2076 5060 cmd.exe reg.exe PID 5060 wrote to memory of 2076 5060 cmd.exe reg.exe PID 1668 wrote to memory of 4348 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 1668 wrote to memory of 4348 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 1668 wrote to memory of 4348 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe CCleaner.exe PID 4220 wrote to memory of 1556 4220 ccsetup236.exe pcaui.exe PID 4220 wrote to memory of 1556 4220 ccsetup236.exe pcaui.exe PID 1668 wrote to memory of 4208 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 4208 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 4208 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2096 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2096 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2096 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2152 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2152 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2152 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2748 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2748 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2748 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2548 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2548 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 1668 wrote to memory of 2548 1668 19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe cmd.exe PID 3376 wrote to memory of 3572 3376 cmd.exe reg.exe PID 3376 wrote to memory of 3572 3376 cmd.exe reg.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\pcaui.exe"C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {d5ceeb93-9830-4406-a772-e167287b96c4} -a "CCleaner" -v "Piriform Ltd" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 2 -f 2021048 -k 0 -e "C:\Users\Admin\AppData\Local\Temp\ccsetup236.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\19c9bec1f75d5ca7edb86310660a6c7b_JaffaCakes118.exe"1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CCleaner.exeFilesize
270KB
MD516e11c0d0af86560a376b1b3ef69afe2
SHA1567d4be42eb29b28b62e8cf6255c3459d25f2e3c
SHA2563ff60728b28ee54d13a91e52d71c73211e3e67800635e4dd21196f60fab78cf3
SHA5127b4b396d5fdc4bc2d632bfb56587736ee0e0782f20a0be588fd1a680a87e4cd28c65f92b54040e574799973756a96937d37b5ce39a36ef7a7b0588990bc7a335
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exeFilesize
896KB
MD5093cd228254c2cc27217f54a1a99dfb0
SHA1b67e0dfa21dffd0a3a4e9315cc90e3d6dc514bf1
SHA25607d276ff5867a749e4bf3252d4f56cc8c6ea2671382e4f3c54b0a83d67f2a6b7
SHA5122eb54dec84881714635be8809ac72249d95703d88c243d36e01f9ba5a406fc46c61eabb13d3efc86d4d06527a3cba9fe92dd31155dbe912e1fdf9df31e33e0e4
-
C:\Users\Admin\AppData\Local\Temp\ccsetup236.exeFilesize
3.3MB
MD5832fdaa7e21a755ad2016493fe2b1ae0
SHA16dd7b298899d1d40d9d5f0e89c40a40f69ac90c9
SHA2568ceafddab004733568fff7cf34572d41a866421fe3e6f8f7864fe0270cc115ad
SHA512bfc1867fa2a4bb2800f0bd461666335a290c6780205eb6d1d6f721f6ca1045e3e826a84f3814f0a580a90ca063787b3dad0f19ea893d3ea41c71d61f66a4f1b5
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5192c8da340572eae08f8510d90c822ed
SHA1c621836688d9a6f7fe7837f6ccac3d06fd77da8a
SHA256ea1f8f26287ae62e732b2bd2d591e0779dbac144a2096ce159402dc6b8f088d0
SHA51266f942b601dd4fe8a6a80a161e4b6927145a06eba4b3edb37ef541ee19d3a076bb19870ff5f74d2727d054d97fed4773bfb85951d7d69fecba5f64d34afa2fd2
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/1416-81-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-90-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-105-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-102-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-99-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-96-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-93-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-42-0x00000000030E0000-0x00000000030EE000-memory.dmpFilesize
56KB
-
memory/1416-87-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-66-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-68-0x00000000030E0000-0x00000000030EE000-memory.dmpFilesize
56KB
-
memory/1416-67-0x00000000006C0000-0x00000000006C8000-memory.dmpFilesize
32KB
-
memory/1416-69-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-72-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-75-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-78-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1416-84-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1668-0-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1668-2-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/1668-61-0x0000000004920000-0x000000000492E000-memory.dmpFilesize
56KB
-
memory/1668-63-0x0000000004920000-0x000000000492E000-memory.dmpFilesize
56KB
-
memory/1668-64-0x0000000000400000-0x00000000004A9000-memory.dmpFilesize
676KB
-
memory/1668-65-0x0000000000401000-0x0000000000407000-memory.dmpFilesize
24KB
-
memory/2532-28-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/4348-46-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB