modiloader | fd117e431e71ee7ed92e5cde68591e39114ed733c181e6701dd47ec1f7821493

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Size

777KB
MD5

1ccf45c4f29f340012377bcfe6479fee
SHA1

fb1b183193d4395924aa9c3570c5fd30b1b8e321
SHA256

fd117e431e71ee7ed92e5cde68591e39114ed733c181e6701dd47ec1f7821493
SHA512

7b819340cbefb1b8ca9c82b521381adf32ba5d32f47cbcebcff220bf6135bbdb5adf5ec0086beeb2757616172183cdae3c222a1f9074cc8a685d8d21a1faec68
SSDEEP

12288:soGaxSoMVIQ10VyhvXoZ4JF3Z4mxxT6hss9+ChYR1DNj19tVskM:TGgb4hvXosQmXT+ssMEOJjPs1

Score

10^/10

modiloader evasion persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-69-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-122-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral1/memory/1288-138-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2
behavioral1/memory/2152-150-0x0000000000400000-0x000000000055E000-memory.dmp	modiloader_stage2

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	lsass.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

C:\Windows\SysWOW64\com\netcfg.000 acprotect
\Windows\SysWOW64\dnsq.dll acprotect
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2012 cmd.exe
Executes dropped EXE 6 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exelsass.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exesmss.exeNTOETECT.exe

pid process

2920 1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2844 lsass.exe
1952 lsass.exe
1288 1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
1788 smss.exe
2152 NTOETECT.exe

resource	yara_rule
C:\Windows\SysWOW64\com\netcfg.000	acprotect
\Windows\SysWOW64\dnsq.dll	acprotect

pid	process
2012	cmd.exe

pid	process
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2844	lsass.exe
1952	lsass.exe
1288	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
1788	smss.exe
2152	NTOETECT.exe

Loads dropped DLL 17 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exeregsvr32.exesmss.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exeWerFault.exeNTOETECT.exe

pid	process
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2844	lsass.exe
2844	lsass.exe
2844	lsass.exe
108	regsvr32.exe
1788	smss.exe
1288	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
1288	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
1812	WerFault.exe
2152	NTOETECT.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1716-0-0x0000000000400000-0x000000000042B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	upx
behavioral1/memory/2920-17-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1716-15-0x0000000000400000-0x000000000042B000-memory.dmp	upx
\Windows\SysWOW64\com\lsass.exe	upx
behavioral1/memory/2844-41-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1952-59-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2920-60-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/1952-68-0x0000000000400000-0x000000000042B000-memory.dmp	upx
C:\Windows\SysWOW64\com\netcfg.000	upx
\Windows\SysWOW64\dnsq.dll	upx
behavioral1/memory/2844-106-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/1788-111-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/2152-129-0x0000000010000000-0x0000000010018000-memory.dmp	upx
\??\f:\NTOETECT.exe	upx
behavioral1/memory/2152-152-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral1/memory/2844-153-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-154-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-157-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-160-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-163-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-166-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-169-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-172-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-175-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-178-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-181-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-184-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-187-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-195-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2844-198-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

Processes:

lsass.exe1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exelsass.exe1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exelsass.exe

description	ioc	process
File opened (read-only)	\??\A:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\E:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\X:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\Z:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\B:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\M:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\W:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\G:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\H:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\Q:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\S:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\T:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\N:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\P:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\R:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\V:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\Y:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\O:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\U:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\L:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\h:	lsass.exe
File opened (read-only)	\??\I:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\J:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened (read-only)	\??\K:	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe

Drops autorun.inf file 1 TTPs 11 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exelsass.exe

description	ioc	process
File opened for modification	C:\AutoRun.inf	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe
File opened for modification	D:\autorun.inf	lsass.exe
File opened for modification	\??\E:\autorun.inf	lsass.exe
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File created	C:\AutoRun.inf	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File created	F:\AutoRun.inf	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened for modification	F:\AutoRun.inf	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File opened for modification	C:\autorun.inf	lsass.exe

Drops file in System32 directory 22 IoCs

Processes:

lsass.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\259402705.log	lsass.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\com\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
File created	C:\Windows\SysWOW64\00302.log	lsass.exe
File created	C:\Windows\SysWOW64\dnsq.dll	lsass.exe
File created	C:\Windows\SysWOW64\259402705.log	lsass.exe
File created	C:\Windows\SysWOW64\00302.log	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File created	C:\Windows\SysWOW64\com\~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\smss.exe	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log

Drops file in Program Files directory 3 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\NTOETECT.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\NTOETECT.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe

Drops file in Windows directory 2 IoCs

Processes:

NTOETECT.exe

description ioc process

File created C:\Windows\_NTOETECT.exe NTOETECT.exe
File opened for modification C:\Windows\_NTOETECT.exe NTOETECT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1812 2152 WerFault.exe NTOETECT.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

lsass.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main lsass.exe

description	ioc	process
File created	C:\Windows\_NTOETECT.exe	NTOETECT.exe
File opened for modification	C:\Windows\_NTOETECT.exe	NTOETECT.exe

pid	pid_target	process	target process
1812	2152	WerFault.exe	NTOETECT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID\ = "{D9901239-34A2-448D-A000-3705544ECE9D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\ = "IfObj Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

ping.exe

pid process

2204 ping.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exe

pid process

1716 1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
2920 1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2844 lsass.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

pid process

472
472
472

pid	process
2204	ping.exe

pid	process
472
472
472

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Token: SeDebugPrivilege	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
Token: SeDebugPrivilege	2844	lsass.exe
Token: 33	2548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2548	AUDIODG.EXE
Token: 33	2548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2548	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exelsass.exe

pid	process
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
2844	lsass.exe
2844	lsass.exe
2844	lsass.exe
2844	lsass.exe
1952	lsass.exe
1952	lsass.exe
1952	lsass.exe
1952	lsass.exe
2844	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.loglsass.exe

description	pid	process	target process
PID 1716 wrote to memory of 1672	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 1672	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 1672	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 1672	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 2300	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2300	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2300	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2300	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2140	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2140	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2140	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2140	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	cacls.exe
PID 1716 wrote to memory of 2920	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
PID 1716 wrote to memory of 2920	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
PID 1716 wrote to memory of 2920	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
PID 1716 wrote to memory of 2920	1716	1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
PID 2920 wrote to memory of 2544	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2544	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2544	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2544	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2752	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2752	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2752	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2752	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2724	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2724	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2724	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2724	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2676	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2676	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2676	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2676	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2240	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2240	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2240	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2240	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cacls.exe
PID 2920 wrote to memory of 2580	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2580	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2580	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2580	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 1864	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 1864	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 1864	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 1864	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	cmd.exe
PID 2920 wrote to memory of 2844	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 2844	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 2844	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 2844	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 1288	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
PID 2920 wrote to memory of 1288	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
PID 2920 wrote to memory of 1288	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
PID 2920 wrote to memory of 1288	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
PID 2920 wrote to memory of 1952	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 1952	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 1952	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2920 wrote to memory of 1952	2920	1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log	lsass.exe
PID 2844 wrote to memory of 2880	2844	lsass.exe	cmd.exe
PID 2844 wrote to memory of 2880	2844	lsass.exe	cmd.exe
PID 2844 wrote to memory of 2880	2844	lsass.exe	cmd.exe
PID 2844 wrote to memory of 2880	2844	lsass.exe	cmd.exe
PID 2844 wrote to memory of 1832	2844	lsass.exe	cacls.exe
PID 2844 wrote to memory of 1832	2844	lsass.exe	cacls.exe
PID 2844 wrote to memory of 1832	2844	lsass.exe	cacls.exe
PID 2844 wrote to memory of 1832	2844	lsass.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
2⤵
PID:1672

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
2⤵
PID:2300

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
2⤵
PID:2140

\??\c:\users\admin\appdata\local\temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
"c:\users\admin\appdata\local\temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log"
2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
3⤵
PID:2544

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
3⤵
PID:2752

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
3⤵
PID:2724

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
3⤵
PID:2676

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
3⤵
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
3⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del /F /Q "C:\Windows\system32\com\lsass.exe"
3⤵
PID:1864

C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c echo ok
4⤵
PID:2880

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:1832

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Everyone:F
4⤵
PID:576

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Admin:F
4⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\lsass.exe /e /t /g Everyone:F
4⤵
PID:264

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Admin:F
4⤵
PID:700

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com\smss.exe /e /t /g Everyone:F
4⤵
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\smss.exe"
4⤵
PID:272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\lsass.exe"
4⤵
PID:2928

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:108

C:\Windows\SysWOW64\com\smss.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\~.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\dnsq.dll"
4⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q "C:\Windows\system32\com\bak"
4⤵
PID:2972

C:\Windows\SysWOW64\ping.exe
ping.exe -f -n 1 www.baidu.com
4⤵
- Runs ping.exe
PID:2204

C:\Users\Admin\appdata\local\temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe
"C:\Users\Admin\appdata\local\temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
PID:1288

C:\Program Files\Common Files\Microsoft Shared\MSINFO\NTOETECT.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\NTOETECT.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2152

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
5⤵
PID:300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 312
5⤵
- Loads dropped DLL
- Program crash
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
4⤵
- Deletes itself
PID:2012

C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NetApi000.sys
Filesize
4KB

MD5
f5d93e609591b09430d56625e71ca827

SHA1
3343645770f10997f089f3cc394ff56b5bcc1e9e

SHA256
110b409802aefb25ec924691682144300f8fce3f6e481a0c34e717ee8a38d406

SHA512
38877b1d461bc9b9aebf473296a5640ba4ae95315d29ea422460b94c02a5ca03e085d927091f4b6cc04d5134eaf8c9beb2570cb482eaf9a049de45779b116421

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
Filesize
212B

MD5
9f7c70b14240c3922a2afa899dbc76fd

SHA1
afa86aa4246adcd7fdd949b61dd1efb4461a2dab

SHA256
b5887b358dc6c4343520d66e92b62a83a9e13d74307149d688e99e43b0c5a7ea

SHA512
4c9f1cc5505d0f75efb3573e346af6b4e626474fab63b0ca7a013384ca906e49a27585519f70aa0b33a070526cbb476bcb40bcf5f16688a19948f432e1e278c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ccf45c4f29f340012377bcfe6479fee_JaffaCakes118.exe
Filesize
594KB

MD5
a679ca78533d1f0b23cf67e941cb227a

SHA1
62422414a11d64d1e3a6346b75e6d6294b34aa98

SHA256
43b8c6dbe50248f3fd541d3200516771f9467dc8b4ba6d8d2f6e9d692dc6f8de

SHA512
fd6914d8837331e3cad8ecbbd9ec035bdc0b93f58dace66634e7a2df980de318e565792a3edabb350a61fe2930b39f4cab39dea8b367405f7fea803b773e0ac8

Download Submit
C:\Windows\SysWOW64\com\netcfg.000
Filesize
16KB

MD5
d1f6b9273cbb2e23aeed11346d0072c5

SHA1
0d012a7c7b37082dcbd5e1688f72eeade705f825

SHA256
dfb2d7cdc6ea056948d09fe139255af2dcc58f3581f4a50f4e5ee0f5a03c39fc

SHA512
4c3ab878131ad38a54d04cf0d268430ab98a67df474a18ee7858c62561d90ec14c34ed63dd973fdf24115ebf17ef65a6a9fc9ac612c247903e881e584dc3b77e

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
40KB

MD5
ae1cd1d740c265b7f18f827f9e37afab

SHA1
6b976bc56e4021e7237b3cd4dbe412b6949fb0a0

SHA256
a961e4f09ebcf11e1e384361d20d4ac031b3c159b9e6d50e3b4612102bef2a11

SHA512
c8f973cbece698f0701171be501c5c24fb77345c05c136ba992b97f74b81c0487e4039c5bb9b43176cc3815e8f2181377811a8a4d8fb08f741fa304767b50571

Download Submit
C:\autorun.inf
Filesize
90B

MD5
a97437c414e0b98553e335d71b8a63e6

SHA1
4aff3625b6cf4d7bf472fdeb7a0adf359a11e01d

SHA256
2435319b72375c630978dad94f1d660a1ae257ac630016b0e4e322722a2e9827

SHA512
fc8f785f7e9b433ed3ab6fe4fd408ffb0fd19faae6d8456b168ad43e1adb9d8a000d6280a1c9b2862805607da2346384c1269dfb7c2e45f8ce8038ebccf3e223

Download Submit
\??\f:\NTOETECT.exe
Filesize
777KB

MD5
2421bfc7040ac601948e17d0a3752bb0

SHA1
a531ec27d6b863b9ca16e501e722f98fd7aa1660

SHA256
5c108ba204299be838a95ac660f27363ab19f5b3f14a1321baeadba30651bc9a

SHA512
31516f8792c3eed714d10ef05e7a3977108e5762551476f015e93fced7375de5b1cd8ae6b7218f8a22a163e1c2fcab65afecb510ce4b07f175aed554d68a3165

Download Submit
\Users\Admin\AppData\Local\Temp\1ccf45c4f29f340012377bcfe6479fee_jaffacakes118.exe.log
Filesize
777KB

MD5
1ccf45c4f29f340012377bcfe6479fee

SHA1
fb1b183193d4395924aa9c3570c5fd30b1b8e321

SHA256
fd117e431e71ee7ed92e5cde68591e39114ed733c181e6701dd47ec1f7821493

SHA512
7b819340cbefb1b8ca9c82b521381adf32ba5d32f47cbcebcff220bf6135bbdb5adf5ec0086beeb2757616172183cdae3c222a1f9074cc8a685d8d21a1faec68

Download Submit
\Windows\SysWOW64\com\lsass.exe
Filesize
91KB

MD5
176a9ca3454ba4b209f79f26598a1cae

SHA1
573aac32ed2611c40a2cf11f0be2f665e6d1492f

SHA256
23a84ab941e99fa0ff83d0cad6777f097fa4683aa389cbb40e39ad284b261fd7

SHA512
dc7084e1db6ac6e76baf42616527cd775a5b31316052e925c6606e8256e9ee3eeaee5ff64c214a6f3a88ec0fb1f45ef941397106105b297d60e8a3197cf31fbe

Download Submit
\Windows\SysWOW64\dnsq.dll
Filesize
31KB

MD5
43afc709415b0dfb297dab1209d993b4

SHA1
41c01847c7533aa848ae3f1b82535385857693ed

SHA256
70a6d9489cbb1d3384780f0529c9b32e537e24bdf13c315d7b8e6b3d9d14fc8f

SHA512
a84cade3177e0d1b0672082faebca2a728f69f97750b080bd43a1567307e3b253b48e102adb7fb20ca48d882cb7094a8e1a7a0f816def1acca6072f3a21aaa91

Download Submit
memory/1288-120-0x0000000004370000-0x00000000044CE000-memory.dmp

Filesize
1.4MB

Download
memory/1288-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1288-62-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1288-119-0x0000000004370000-0x00000000044CE000-memory.dmp

Filesize
1.4MB

Download
memory/1288-138-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1716-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1716-15-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1716-13-0x0000000002DE0000-0x0000000002E0B000-memory.dmp

Filesize
172KB

Download
memory/1788-111-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1952-59-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1952-68-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2152-121-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2152-152-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2152-150-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2152-129-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2152-122-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2844-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-172-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-198-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-195-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-41-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-184-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-106-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2844-181-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-153-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-157-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-166-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-175-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-40-0x0000000002F30000-0x0000000002F5B000-memory.dmp

Filesize
172KB

Download
memory/2920-56-0x0000000002F30000-0x000000000308E000-memory.dmp

Filesize
1.4MB

Download
memory/2920-57-0x0000000002F30000-0x0000000002F5B000-memory.dmp

Filesize
172KB

Download
memory/2920-17-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2920-39-0x0000000002F30000-0x0000000002F5B000-memory.dmp

Filesize
172KB

Download
memory/2920-58-0x0000000002F30000-0x0000000002F5B000-memory.dmp

Filesize
172KB

Download
memory/2920-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download