Analysis
-
max time kernel
130s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 07:37
Static task
static1
Behavioral task
behavioral1
Sample
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
-
Size
623KB
-
MD5
13f2769975c7c3a834ad2f98de5fd2ed
-
SHA1
e453b159c317d6ce1300e9005902d5a145d650c0
-
SHA256
176bebd01ef9664ac2087c283261ce4475525986cb2a24ec0d32748a012fbc3d
-
SHA512
c88956a8e1c815a40658fcf3a9fa8552423dc3dc9fcacd7e7196b76c5057f298a8a5b7b185c786f980cdbc29e39b95c42d527e63cf23d6c7d81f9aee17a309c8
-
SSDEEP
12288:Ezs1pt4r/mPjMef1RpdCCdwe2lKowW+wG3Q/U52ioR52NiJ:Ew1QrOjDwe2CyiT85q0
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3280 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 3348 update.exe -
Loads dropped DLL 3 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exeupdate.exepid process 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe 3348 update.exe 3348 update.exe -
Processes:
resource yara_rule behavioral2/memory/1168-1-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-11-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-9-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-69-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-70-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-84-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-88-0x0000000002440000-0x0000000003470000-memory.dmp upx behavioral2/memory/1168-98-0x0000000002440000-0x0000000003470000-memory.dmp upx -
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exeupdate.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe File opened for modification C:\Windows\setupapi.log update.exe File opened for modification \??\c:\windows\KB901105.log update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exepid process 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Token: SeDebugPrivilege 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exedescription pid process target process PID 1168 wrote to memory of 804 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe fontdrvhost.exe PID 1168 wrote to memory of 812 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe fontdrvhost.exe PID 1168 wrote to memory of 396 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe dwm.exe PID 1168 wrote to memory of 3280 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe netsh.exe PID 1168 wrote to memory of 3280 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe netsh.exe PID 1168 wrote to memory of 3280 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe netsh.exe PID 1168 wrote to memory of 2684 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe sihost.exe PID 1168 wrote to memory of 2712 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 2844 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe taskhostw.exe PID 1168 wrote to memory of 3572 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Explorer.EXE PID 1168 wrote to memory of 3724 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 3904 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe DllHost.exe PID 1168 wrote to memory of 4004 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1168 wrote to memory of 4068 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 676 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe SearchApp.exe PID 1168 wrote to memory of 4232 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 1492 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe TextInputHost.exe PID 1168 wrote to memory of 3788 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 4660 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe backgroundTaskHost.exe PID 1168 wrote to memory of 1632 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe backgroundTaskHost.exe PID 1168 wrote to memory of 3348 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe update.exe PID 1168 wrote to memory of 3348 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe update.exe PID 1168 wrote to memory of 3348 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe update.exe PID 1168 wrote to memory of 804 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe fontdrvhost.exe PID 1168 wrote to memory of 812 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe fontdrvhost.exe PID 1168 wrote to memory of 396 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe dwm.exe PID 1168 wrote to memory of 2684 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe sihost.exe PID 1168 wrote to memory of 2712 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 2844 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe taskhostw.exe PID 1168 wrote to memory of 3572 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe Explorer.EXE PID 1168 wrote to memory of 3724 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 3904 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe DllHost.exe PID 1168 wrote to memory of 4004 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1168 wrote to memory of 4068 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 676 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe SearchApp.exe PID 1168 wrote to memory of 4232 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 1492 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe TextInputHost.exe PID 1168 wrote to memory of 3788 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 4660 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe backgroundTaskHost.exe PID 1168 wrote to memory of 3348 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe update.exe PID 1168 wrote to memory of 3348 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe update.exe PID 1168 wrote to memory of 4132 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe PID 1168 wrote to memory of 4676 1168 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exe"2⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
\??\c:\221f68f1c283c53ef446fe\update\update.exec:\221f68f1c283c53ef446fe\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\221f68f1c283c53ef446fe\_sfx_.dllFilesize
30KB
MD5b9b02d97007953e74caaa38497e7278a
SHA13954391efec4615a597594b02ad755f539d2fa42
SHA256e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc
SHA51278f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e
-
C:\221f68f1c283c53ef446fe\update\update.exeFilesize
706KB
MD5159c70c4e6bbf38aab8ac6220f44497a
SHA10ae927bc2752340a66c3984236ceaddad1c4b263
SHA25619cbcdba74e18aa42414082a8941d3634e763ad4e52e399fe818139aa2331ae0
SHA5122aeb58325113c1b7a694b9f29a1ce7b9e4e79d165fff6e69405d4ffdbd1b2fc9a51c8d4850b1bfc17b13c8608a7f92b3c77314eb30a4b9ae14b39cf3f0df25fd
-
C:\221f68f1c283c53ef446fe\update\updspapi.dllFilesize
378KB
MD50c74bebb2e57e61cf2372e8936aa1286
SHA1adc79970c4e7a1d64c84a13e52c45e1f7317873d
SHA2567890f3de15cf561a26f7e6d4009baada5a727df47ec63a7582477625e94087ed
SHA5121d3f303b7dd953b205b18f4424284c59d43a4ca1f5556db76dccc6f26ef53099a7cc12fbcafe63135f5ff01b79ba3ce902516b2d9de1a5582b73fbf40e124e69
-
C:\Users\Admin\AppData\Local\Temp\0E573865_Rar\13f2769975c7c3a834ad2f98de5fd2ed_JaffaCakes118.exeFilesize
551KB
MD589d07e1d38c96bed465861fd6969ec60
SHA18bd74dab8ba88a560c28db353fcb01068751945a
SHA256f47924fb61ed8c497a3b8cf7bdc2693df818886333d4bede8cf2d5a81c12cbd2
SHA512390649fc16d9828f5eb7097f7e447f312911f698b58a65194ab6ebd604691f32a934984d54efca600c03d9320b557b5fdab0e04ea7e586e203479d4dbb98c534
-
memory/1168-14-0x0000000001002000-0x0000000001003000-memory.dmpFilesize
4KB
-
memory/1168-1-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-0-0x0000000001000000-0x0000000001030000-memory.dmpFilesize
192KB
-
memory/1168-9-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-21-0x0000000001000000-0x0000000001030000-memory.dmpFilesize
192KB
-
memory/1168-20-0x0000000001000000-0x0000000001030000-memory.dmpFilesize
192KB
-
memory/1168-16-0x0000000003A00000-0x0000000003A01000-memory.dmpFilesize
4KB
-
memory/1168-17-0x0000000003970000-0x0000000003972000-memory.dmpFilesize
8KB
-
memory/1168-11-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-69-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-70-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-15-0x0000000003970000-0x0000000003972000-memory.dmpFilesize
8KB
-
memory/1168-122-0x0000000001000000-0x0000000001030000-memory.dmpFilesize
192KB
-
memory/1168-84-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-88-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/1168-112-0x0000000003970000-0x0000000003972000-memory.dmpFilesize
8KB
-
memory/1168-98-0x0000000002440000-0x0000000003470000-memory.dmpFilesize
16.2MB
-
memory/3348-90-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/3348-100-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/3348-91-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/3348-75-0x0000000000B20000-0x0000000000B80000-memory.dmpFilesize
384KB