Analysis
-
max time kernel
13s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:30
Behavioral task
behavioral1
Sample
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe
-
Size
792KB
-
MD5
1a4e0616d3bb6faaae67c2b9655b3691
-
SHA1
1063f0d26a161d91dec14755a65862be23f4d011
-
SHA256
86584928126b210987919b533525f52937b87a2877130a39d456a37ccb9ee828
-
SHA512
5d76bd1801a66e51d326aabc15e7fb3464590726101e72789917d287b1c5eb1afe48c4be5933f46091f555e5b7f918cb164eabfba77a131af2c92e37e3402c58
-
SSDEEP
12288:FEnnhoUxDJKzPNZeO+2HBtIEMt/4FylEQKvC9ss+jJwdmDHif/uuhbJ2XyiCyai:JQaZx+2jIE0/jGgPghTspJ2kyn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe:*:enabled:@shell32.dll,-1" 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe -
Processes:
WaterMark.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1208 netsh.exe 4136 netsh.exe -
Executes dropped EXE 6 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exepid process 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1728 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe 3264 WaterMark.exe 4652 WaterMark.exe 4368 WaterMarkmgr.exe 2952 WaterMark.exe -
Processes:
resource yara_rule behavioral2/memory/4520-0-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral2/memory/3496-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-8-0x0000000003500000-0x0000000004530000-memory.dmp upx behavioral2/memory/3496-17-0x0000000003500000-0x0000000004530000-memory.dmp upx behavioral2/memory/3496-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3496-6-0x0000000003500000-0x0000000004530000-memory.dmp upx behavioral2/memory/4368-88-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4652-106-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3264-78-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4368-77-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4652-73-0x00000000032A0000-0x00000000042D0000-memory.dmp upx behavioral2/memory/4652-70-0x00000000032A0000-0x00000000042D0000-memory.dmp upx behavioral2/memory/1728-57-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1728-46-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4520-33-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral2/memory/3496-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4520-146-0x0000000000400000-0x00000000004E2000-memory.dmp upx behavioral2/memory/3264-157-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2952-164-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4652-188-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4652-189-0x00000000032A0000-0x00000000042D0000-memory.dmp upx -
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
Drops file in Program Files directory 11 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exeWaterMark.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exedescription ioc process File created C:\Program Files (x86)\Microsoft\WaterMark.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE762.tmp 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE88B.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxE62A.tmp 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe WaterMark.exe -
Drops file in Windows directory 1 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2152 4520 WerFault.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe -
Processes:
iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A630F8F7-3552-11EF-90FA-6E89720FDA0C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeWaterMark.exeWaterMark.exeWaterMark.exepid process 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe 2952 WaterMark.exe 2952 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 3264 WaterMark.exe 4652 WaterMark.exe 4652 WaterMark.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exepid process 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exedescription pid process Token: SeDebugPrivilege 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Token: SeDebugPrivilege 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 460 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exeiexplore.exeIEXPLORE.EXEpid process 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 460 iexplore.exe 460 iexplore.exe 2668 IEXPLORE.EXE 2668 IEXPLORE.EXE 2668 IEXPLORE.EXE 2668 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exeWaterMark.exeWaterMarkmgr.exeWaterMark.exeWaterMark.exepid process 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1728 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe 3264 WaterMark.exe 4368 WaterMarkmgr.exe 4652 WaterMark.exe 2952 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exedescription pid process target process PID 4520 wrote to memory of 3496 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe PID 4520 wrote to memory of 3496 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe PID 4520 wrote to memory of 3496 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 612 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe winlogon.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 668 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe lsass.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 3496 wrote to memory of 776 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe fontdrvhost.exe PID 3496 wrote to memory of 780 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe fontdrvhost.exe PID 3496 wrote to memory of 60 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe dwm.exe PID 3496 wrote to memory of 1728 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe PID 3496 wrote to memory of 1728 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe PID 3496 wrote to memory of 1728 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 3496 wrote to memory of 2960 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe sihost.exe PID 3496 wrote to memory of 2992 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe svchost.exe PID 3496 wrote to memory of 2432 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe taskhostw.exe PID 3496 wrote to memory of 3424 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Explorer.EXE PID 3496 wrote to memory of 3564 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe svchost.exe PID 3496 wrote to memory of 3780 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe DllHost.exe PID 3496 wrote to memory of 3868 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe StartMenuExperienceHost.exe PID 3496 wrote to memory of 3940 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe RuntimeBroker.exe PID 3496 wrote to memory of 4032 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe SearchApp.exe PID 3496 wrote to memory of 3812 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe RuntimeBroker.exe PID 3496 wrote to memory of 4528 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe TextInputHost.exe PID 3496 wrote to memory of 4092 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe msedge.exe PID 3496 wrote to memory of 4776 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe msedge.exe PID 3496 wrote to memory of 4100 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe msedge.exe PID 3496 wrote to memory of 2352 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe msedge.exe PID 3496 wrote to memory of 1104 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe msedge.exe PID 3496 wrote to memory of 2172 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe RuntimeBroker.exe PID 3496 wrote to memory of 2036 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe RuntimeBroker.exe PID 3496 wrote to memory of 3664 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe backgroundTaskHost.exe PID 3496 wrote to memory of 2448 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe backgroundTaskHost.exe PID 3496 wrote to memory of 4520 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe PID 3496 wrote to memory of 4520 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe PID 3496 wrote to memory of 3264 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe WaterMark.exe PID 3496 wrote to memory of 3264 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe WaterMark.exe PID 3496 wrote to memory of 3264 3496 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe WaterMark.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 776 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 780 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe fontdrvhost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe PID 4520 wrote to memory of 800 4520 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe svchost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeWaterMark.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exeC:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:460 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 13123⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ff9be9d4ef8,0x7ff9be9d4f04,0x7ff9be9d4f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2440,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1852,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2456,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:82⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 45201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exeFilesize
271KB
MD5bbac48fdbc1106de1c61a1e8dd361e39
SHA1bda379d20b9de5806bb338277019ba3bd92908df
SHA25649939a37344dd2276fd7c31ace0b3aa3c37ef492d34117a225b3cbe5ac384c65
SHA512fb6368b11466cbf6eda80637104696d7e40400ccfc6fa054995c48526f541de9c43fbac7ac857508c121b4df050cd0b51180ca36fa66eacdd3150b490fbd589b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5293ea21f7d2b09f447f07d065dd542b9
SHA15d30d1d814dab60840b66cb9ee7dd8ceea05df70
SHA2562203bb67fc1d126a35d05b53e3b9c39acf5a06b6f2d792099460e8caa83f2a32
SHA5127d5ff3768b8ab54f4186a325ac433eb4a1f3dfabb30d641a0a1d6b9f2f24c5dd83cc5d05c13477cab16c5644d39e45ae991d75a1ddb7c79b76e562b4f2eb2898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD51e89031abfd5cbd14201901260b73b5b
SHA1f5f2f0dee3c18e74607ab86cb7aaae4bc91591fd
SHA25675b884f300cf8c4c8c2fe3a9d5b466f70de6aba50eabf1c4e8a30252170d5915
SHA512b755d6e9025492249dc93a580670e4100ac63c802fc681d89a539830eade30edca6bea8a3173e75e8199d2373d08125f35a9b4c08d1cf5155339e91d6ac09455
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeFilesize
650KB
MD53a713d8ea4721bffcf9eddf47af0dbe5
SHA1f1ce15d0c816d290885ca9b97b2c7f6f8728647b
SHA25643a70a7c64ebf6dcaca4d415c4ccb19a9fe82fa15077c00c28e73119451772bd
SHA51204e7ea8dc5583c9630ada5758b3f37f602d79a0a0c32d46be07efb35de19b1e04d00f220c655a42b2f79687d64e466ae2c8b0e1f4b8b186b835e1d9e1d59e80f
-
C:\Windows\SYSTEM.INIFilesize
258B
MD505f0ed5f0339d08b92a8835c27701bc1
SHA1de80bf05856e0beed27411981448749d7556b834
SHA2561f994cf7ca8eb601c4dc1c1732afe630f3a9657fe78e73cd711737e6f042249a
SHA5125c6c7e8d0e9f23112457280d43538f064cdf630251e76d544018918c5b7e057b63343f097794d7c0ff9a02d86096115d3b0aff10c89a0734217a56c73fcef860
-
memory/1208-101-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/1728-57-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1728-46-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1728-59-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/1728-58-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/2952-164-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2952-107-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3264-79-0x0000000077D42000-0x0000000077D43000-memory.dmpFilesize
4KB
-
memory/3264-97-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/3264-69-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/3264-45-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3264-78-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3264-157-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-5-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3496-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-6-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-32-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/3496-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-17-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-8-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4360-121-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/4360-122-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/4368-95-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/4368-77-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4368-88-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4520-146-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4520-23-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4520-20-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/4520-19-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4520-33-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4520-0-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4652-92-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/4652-106-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4652-99-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/4652-188-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4652-189-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB
-
memory/4652-60-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4652-73-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB
-
memory/4652-70-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB