modiloader | edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Size

7.2MB
MD5

1b07681e664e306e849cfac378fd5c36
SHA1

18c2aa65af42a6c17826e65b2d11e7a8da15555b
SHA256

edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520
SHA512

e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e
SSDEEP

196608:BuezwW++1nerHAOdMF69hTmo/7H4gsQ6hAady5q0V+amY:9zw5+crHALF69hTmO7DsVEqVax

Score

10^/10

modiloader trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2524-6-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-7-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-8-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-5-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2
behavioral2/memory/2524-48-0x0000000000400000-0x000000000042C000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Executes dropped EXE 8 IoCs

Processes:

server.exeUpdater.exeserver.exeUpdater.exeserver.exeserver.exeUpdater.exeUpdater.exe

pid process

436 server.exe
1648 Updater.exe
4600 server.exe
2176 Updater.exe
1952 server.exe
4716 server.exe
4564 Updater.exe
3332 Updater.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3448 regsvr32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

pid	process
436	server.exe
1648	Updater.exe
4600	server.exe
2176	Updater.exe
1952	server.exe
4716	server.exe
4564	Updater.exe
3332	Updater.exe

pid	process
3448	regsvr32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4464-124-0x0000000010740000-0x00000000107C2000-memory.dmp	upx
behavioral2/memory/4464-129-0x0000000002080000-0x000000000208D000-memory.dmp	upx
behavioral2/memory/4464-133-0x0000000002090000-0x000000000209D000-memory.dmp	upx
behavioral2/memory/4464-140-0x00000000020A0000-0x00000000020AD000-memory.dmp	upx
behavioral2/memory/4464-144-0x00000000020B0000-0x00000000020BD000-memory.dmp	upx
behavioral2/memory/4464-148-0x00000000020C0000-0x00000000020CD000-memory.dmp	upx
behavioral2/memory/4464-159-0x00000000023E0000-0x00000000023ED000-memory.dmp	upx
behavioral2/memory/4464-174-0x00000000023F0000-0x00000000023FD000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\server.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\server.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Updater.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Updater.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\server.exe	server.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exe

description	pid	process	target process
PID 3172 set thread context of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 set thread context of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 set thread context of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 set thread context of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 436 set thread context of 4600	436	server.exe	server.exe
PID 1648 set thread context of 2176	1648	Updater.exe	WerFault.exe
PID 436 set thread context of 1952	436	server.exe	server.exe
PID 436 set thread context of 4716	436	server.exe	server.exe
PID 1648 set thread context of 4564	1648	Updater.exe	server.exe
PID 1648 set thread context of 3332	1648	Updater.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1836	1364	WerFault.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
1536	4716	WerFault.exe	server.exe
1424	3332	WerFault.exe	Updater.exe
636	3560	WerFault.exe
3096	4896	WerFault.exe	server.exe
1604	4360	WerFault.exe	Updater.exe
512	3748	WerFault.exe	server.exe
4588	2412	WerFault.exe	Updater.exe
436	1764	WerFault.exe	server.exe
3504	4544	WerFault.exe	Updater.exe
2544	3736	WerFault.exe	Updater.exe
1876	3848	WerFault.exe	server.exe
3324	3332	WerFault.exe	server.exe
2664	3660	WerFault.exe	Updater.exe
4528	4080	WerFault.exe	Updater.exe
3932	1636	WerFault.exe	server.exe
4588	3748	WerFault.exe	server.exe
1568	4092	WerFault.exe	server.exe
1108	3860	WerFault.exe	server.exe
4432	5016	WerFault.exe	server.exe
2948	2660	WerFault.exe	server.exe
4216	1104	WerFault.exe	Updater.exe
908	4720	WerFault.exe	server.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.exe

pid process

1952 server.exe
1952 server.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

pid process

1728 1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

pid	process
1952	server.exe
1952	server.exe

pid	process
1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exeserver.exeUpdater.exe

description	pid	process	target process
PID 3172 wrote to memory of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 876	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 2524	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1364	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 2524 wrote to memory of 436	2524	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	WerFault.exe
PID 2524 wrote to memory of 436	2524	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	WerFault.exe
PID 2524 wrote to memory of 436	2524	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	WerFault.exe
PID 3172 wrote to memory of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 3172 wrote to memory of 1728	3172	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
PID 1728 wrote to memory of 3448	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 3448	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 3448	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	regsvr32.exe
PID 1728 wrote to memory of 1648	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 1728 wrote to memory of 1648	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 1728 wrote to memory of 1648	1728	1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe	server.exe
PID 436 wrote to memory of 4600	436	server.exe	server.exe
PID 436 wrote to memory of 4600	436	server.exe	server.exe
PID 436 wrote to memory of 4600	436	server.exe	server.exe
PID 436 wrote to memory of 4600	436	server.exe	server.exe
PID 436 wrote to memory of 4600	436	server.exe	server.exe
PID 1648 wrote to memory of 2176	1648	Updater.exe	WerFault.exe
PID 1648 wrote to memory of 2176	1648	Updater.exe	WerFault.exe
PID 1648 wrote to memory of 2176	1648	Updater.exe	WerFault.exe
PID 1648 wrote to memory of 2176	1648	Updater.exe	WerFault.exe
PID 1648 wrote to memory of 2176	1648	Updater.exe	WerFault.exe
PID 436 wrote to memory of 1952	436	server.exe	server.exe
PID 436 wrote to memory of 1952	436	server.exe	server.exe
PID 436 wrote to memory of 1952	436	server.exe	server.exe
PID 436 wrote to memory of 1952	436	server.exe	server.exe
PID 436 wrote to memory of 1952	436	server.exe	server.exe
PID 436 wrote to memory of 4716	436	server.exe	server.exe
PID 436 wrote to memory of 4716	436	server.exe	server.exe
PID 436 wrote to memory of 4716	436	server.exe	server.exe
PID 436 wrote to memory of 4716	436	server.exe	server.exe
PID 436 wrote to memory of 4716	436	server.exe	server.exe
PID 1648 wrote to memory of 4564	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 4564	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 4564	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 4564	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 4564	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 3332	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 3332	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 3332	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 3332	1648	Updater.exe	server.exe
PID 1648 wrote to memory of 3332	1648	Updater.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\server.exe
"C:\Windows\system32\server.exe" \melt "C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
4⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\server.exe"
5⤵
PID:1820

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:2724

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:4616

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
7⤵
PID:1536

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2172

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:1556

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
PID:3984

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2540

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:4576

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:3048

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:1940

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 460
11⤵
- Program crash
PID:4432

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:4016

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 460
9⤵
- Program crash
PID:436

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:3220

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
9⤵
PID:2632

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:1364

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:4684

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
11⤵
PID:3112

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:1320

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:4184

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
13⤵
PID:1692

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 460
13⤵
- Program crash
PID:2948

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:448

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 460
11⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:3576

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
11⤵
PID:4512

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
12⤵
PID:5072

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
12⤵
PID:1948

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
13⤵
PID:3848

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
12⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 464
13⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
12⤵
PID:2688

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
13⤵
PID:2400

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:4456

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 460
7⤵
- Program crash
PID:3096

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:3660

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
7⤵
PID:3020

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:1696

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:4328

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
9⤵
PID:3640

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2300

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3736

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:3904

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:3188

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 460
11⤵
- Program crash
PID:1568

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:4380

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 460
9⤵
- Program crash
PID:2544

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:732

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
9⤵
PID:1864

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:3164

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:3872

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
11⤵
PID:1688

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:3040

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:4932

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
13⤵
PID:2244

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 460
13⤵
- Program crash
PID:908

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:4880

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 460
11⤵
- Program crash
PID:2664

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
10⤵
PID:2448

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:4440

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:2536

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
4⤵
- Executes dropped EXE
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 460
5⤵
- Program crash
PID:1536

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
4⤵
PID:2296

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
5⤵
PID:1248

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:2304

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:1860

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
7⤵
PID:2116

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:4812

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2652

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
PID:4360

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3224

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2756

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:836

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:4812

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:736

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 460
11⤵
- Program crash
PID:4588

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:1876

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 460
9⤵
- Program crash
PID:1876

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:4384

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:3696

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 464
7⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:3984

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
7⤵
PID:908

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:4460

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:4516

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
9⤵
PID:4420

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2980

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3552

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:1208

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:3564

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 460
11⤵
- Program crash
PID:3932

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:4356

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
11⤵
PID:2136

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
12⤵
PID:3820

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 460
9⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:2200

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
8⤵
PID:1860

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:1756

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
4⤵
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:4644

C:\Windows\SysWOW64\server.exe
C:\Windows\SysWOW64\server.exe
5⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 460
3⤵
- Program crash
PID:1836

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\mswinsck.ocx"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:3448

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
4⤵
- Executes dropped EXE
PID:2176

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
4⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
5⤵
PID:660

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:3028

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:748

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
7⤵
PID:1068

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2504

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:4380

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
PID:4260

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:1648

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2772

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:3572

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:1108

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:5000

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3160

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 460
9⤵
- Program crash
PID:3324

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2332

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2412

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 460
7⤵
- Program crash
PID:512

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:3252

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
6⤵
PID:1348

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
4⤵
- Executes dropped EXE
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 460
5⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
4⤵
PID:4196

C:\Windows\SysWOW64\Updater.exe
C:\Windows\system32\Updater.exe
5⤵
PID:4200

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:4364

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:4624

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Windows\SysWOW64\Updater.exe"
7⤵
PID:2044

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:1804

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:4564

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
PID:4428

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3948

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:2580

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe" \melt "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
PID:1812

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
12⤵
PID:1348

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 464
11⤵
- Program crash
PID:1108

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
10⤵
PID:3612

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:2936

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:5016

C:\Users\Admin\AppData\Roaming\server.exe
C:\Users\Admin\AppData\Roaming\server.exe
8⤵
PID:1248

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 468
7⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:1792

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
6⤵
PID:4428

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
4⤵
PID:3820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:636

C:\Windows\SysWOW64\Updater.exe
C:\Windows\SysWOW64\Updater.exe
5⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\1b07681e664e306e849cfac378fd5c36_JaffaCakes118.exe
2⤵
PID:4464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:404

C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe
"C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"
2⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\is-IG2E1.tmp\SpywareCease_Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IG2E1.tmp\SpywareCease_Setup.tmp" /SL5="$701D2,5942796,78848,C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe"
3⤵
PID:2228

C:\Users\Admin\AppData\Roaming\steal.exe
"C:\Users\Admin\AppData\Roaming\steal.exe"
2⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1000
3⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1364 -ip 1364
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4716 -ip 4716
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3332 -ip 3332
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3560 -ip 3560
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4896 -ip 4896
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4360 -ip 4360
1⤵
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 3748 -ip 3748
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2412 -ip 2412
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1764 -ip 1764
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3848 -ip 3848
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3736 -ip 3736
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4544 -ip 4544
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3332 -ip 3332
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2936 -ip 2936
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3660 -ip 3660
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 4080
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1636 -ip 1636
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3748 -ip 3748
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4092 -ip 4092
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5016 -ip 5016
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5000 -ip 5000
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3860 -ip 3860
1⤵
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2660 -ip 2660
1⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4720 -ip 4720
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1104 -ip 1104
1⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-IG2E1.tmp\SpywareCease_Setup.tmp
Filesize
694KB

MD5
24bc6f2072e1806252dddbdffb5e0520

SHA1
6a3a4146f4981d141ab6ae4665ef41ed8e611364

SHA256
98f59e925888ce7a96d638c67ba884f374d7ecf2c8a2a62b36c5f9f718e2b812

SHA512
f605603e87a29af7ec020f231b8a9f09b87e3e763701e9602ea27a442db3ab8457e864482ee1aebc80f50f0a81f67c18d3ff260723a7967f4e946b76daa361d0

Download Submit
C:\Users\Admin\AppData\Roaming\SpywareCease_Setup.exe
Filesize
5.9MB

MD5
c4c214bb68de61f34e0a67c299512cdc

SHA1
521f4c321036275d5e6a870c13a301de6abb8d3b

SHA256
7c81b04ec8d4b25ff58c565d82fe044ce0afb0fe2f2cff2594e3fbf68bed429a

SHA512
1ca6a8bc112cc95d30e2aeed60c39dcc74239f45cd270c3844784b8b72e9cfe38f4d6e8fb2bdc86c85b1fd42f36e2ba43b1e779ceeebd6e00702e3f0da7203eb

Download Submit
C:\Users\Admin\AppData\Roaming\steal.exe
Filesize
417KB

MD5
8d3c3a966d27dd1008875c5f61400fdd

SHA1
3b1c247c7d7e178ac12b4ad0ec45015493efa5ac

SHA256
bbff7fcd84a4dcb6a961824d053fda22a555637bcdbc4a7846da6832509f223e

SHA512
61f5863768a6b2f8121876186bb880ca0775e699bec6da2f7af6bda97d1dd83f707e2fce0f5e0e239bc35d66d5fdda7a153ea9342d0436ca75781cdd50a363f6

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx
Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Windows\SysWOW64\server.exe
Filesize
7.2MB

MD5
1b07681e664e306e849cfac378fd5c36

SHA1
18c2aa65af42a6c17826e65b2d11e7a8da15555b

SHA256
edc505c4629a550f9356a06ce7f24bfffca9a39b0dd98da8234b1366b1ec5520

SHA512
e38280a95ea0979c54d4832ece66ab7841dc8f8489c5e7a72846e4f733ed60ba8121d0b3ee6dc711936cec54d12c267d1d25923e7bddc97785b57d531d73e97e

Download Submit
memory/876-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/876-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/876-4-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/876-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1364-11-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1364-9-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1728-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1728-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2524-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2524-48-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2524-6-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2524-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2524-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4464-140-0x00000000020A0000-0x00000000020AD000-memory.dmp

Filesize
52KB

Download
memory/4464-133-0x0000000002090000-0x000000000209D000-memory.dmp

Filesize
52KB

Download
memory/4464-129-0x0000000002080000-0x000000000208D000-memory.dmp

Filesize
52KB

Download
memory/4464-144-0x00000000020B0000-0x00000000020BD000-memory.dmp

Filesize
52KB

Download
memory/4464-148-0x00000000020C0000-0x00000000020CD000-memory.dmp

Filesize
52KB

Download
memory/4464-159-0x00000000023E0000-0x00000000023ED000-memory.dmp

Filesize
52KB

Download
memory/4464-124-0x0000000010740000-0x00000000107C2000-memory.dmp

Filesize
520KB

Download
memory/4464-120-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4464-118-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4464-174-0x00000000023F0000-0x00000000023FD000-memory.dmp

Filesize
52KB

Download