Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
b97280557bb93a7c0dccaa1e3f110200
-
SHA1
1af745e0135d22a69cb29a4f2bd609277887dc8c
-
SHA256
df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6
-
SHA512
8121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907
-
SSDEEP
49152:EpQN2wy6vNZNPriyrOO53RTqtiq0g7mM+M6RkMkIM7I0676:D3ziyrOO53HM+M6RkMkIM7
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\diskperf.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sfc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\choice.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dccw.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\extrac32.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SetIEInstalledDate.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\net.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wimserv.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wscript.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\find.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rekeywiz.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\resmon.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\netbtugc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\unlodctr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WerFault.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIC.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\efsui.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\icacls.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msdt.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\RegisterIEPKEYs.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\RMActivate_isv.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\systray.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\diantz.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\eventvwr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TapiUnattend.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wininit.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wuapp.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\getmac.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\regini.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\RpcPing.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WSManHTTPConfig.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DevicePairingWizard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DeviceProperties.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\help.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msiexec.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SearchIndexer.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\systeminfo.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\chkntfs.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cttune.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mobsync.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\doskey.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rdrleakdiag.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TsWpfWrp.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\calc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\psr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\rmiregistry.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\plugin-container.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\javaws.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_infocard_b77a5c561934e089_6.1.7601.17514_none_583a8c60c0b305a1\infocard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_684b2e15d381ea25\regini.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-synchost_31bf3856ad364e35_6.1.7600.16385_none_cfcaa9124aa42f85\SyncHost.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhst3g.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_c8df7823424473a1_netbtugc.exe_825f4f74 b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-axinstallservice_31bf3856ad364e35_6.1.7601.17514_none_352b5454878cd498\AxInstUI.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\inetinfo.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\IMEPADSV.EXE b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSUNATD.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_32a601ad2b7a554f\PDMSetup.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\x86_infocard_b77a5c561934e089_6.1.7601.17514_none_9fe7c337d52f2ea7\infocard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_626b9352dcfa715c\ComputerDefaults.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..integration-support_31bf3856ad364e35_6.1.7600.16385_none_8429bbdebd38db4a\isintsup.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_6.1.7600.16385_none_76e39d87a834545e\dccw.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-runonce_31bf3856ad364e35_6.1.7601.17514_none_73e0da0bd5a77c41\runonce.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_bfa748753634ba48\SystemPropertiesProtection.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac_dnscacheugc.exe_aa32623e b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.1.7601.17514_none_227e1c01642654f4_wermgr.exe_d92a3b6c b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_c0aa8bc2de239cf9\wevtutil.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\ehome\ehshell.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..estartup-fverecover_31bf3856ad364e35_6.1.7600.16385_none_ab0552bceeca5a61\BdeUnlockWizard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16385_none_9e59e11166b683d3\PDIALOG.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_wp_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_5197fbf234706563\aspnet_wp.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_netfx-dfsvc_b03f5f7f11d50a3a_6.1.7600.16385_none_96dbb959ba7c7a79\dfsvc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a\winload.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\migwiz.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-securestartup-cpl_31bf3856ad364e35_6.1.7601.17514_none_b5ac5cc3a1b7e9ef\BitLockerWizard.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-takeown_31bf3856ad364e35_6.1.7601.17514_none_58116b392c3da43c\takeown.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe$ b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehmsas_31bf3856ad364e35_6.1.7600.16385_none_8707c620868fdf75\ehmsas.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\resmon.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\icsunattend.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_2b95a17838063e9b\AtBroker.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcrmgr_31bf3856ad364e35_6.1.7600.16385_none_901eda10f3ab38d2\McrMgr.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigAutoPlay.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_6.1.7601.17514_none_0de23daf595f5711\MSBuild.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpshare.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_a69c6a8f23f521f3\diantz.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_d44c0ef849349ed9\regsvr32.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\chgport.exe b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636_winlogon.exe_ac37d0c5 b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2208 b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b97280557bb93a7c0dccaa1e3f110200_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5b97280557bb93a7c0dccaa1e3f110200
SHA11af745e0135d22a69cb29a4f2bd609277887dc8c
SHA256df3b58ca2c9732eca60f37a13eef1d6f2b6c8fc0e33b3aafd26d535bca9ceff6
SHA5128121adca35a58904f00702a61294712145136269dc06eb2dff05efff2901de984f657fc4c3d12e98b2c0fd269e51b0d1384d5360f4956a777fb2d11f25d18907