fb223a9f677b9f57c17070e9ef3fb6f1069cccd0f1a1232a05efe54500c1d2fd

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
Size

197KB
MD5

ca2dd3823b02716df12227f29dd6aa77
SHA1

8809314d3b6ce131587238c66743efbffe8797f3
SHA256

fb223a9f677b9f57c17070e9ef3fb6f1069cccd0f1a1232a05efe54500c1d2fd
SHA512

45fa895c244e9527fdf3518e149f070265f3ac683c59f80a53f049cca3f3cbd10b6be539ce57a935247d2b9eeb3e746aa0e74b19d242f4a334257795d3db814d
SSDEEP

3072:c7puEEMohqTY9VHPfueN8/VF3DLmkI10XoY5XrA5j3+UbGODbG:IpMM6Vg/fF9ouayeDi

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (1446) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\powercfg.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrs.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netbtugc.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sc.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\mighost.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskpart.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\osk.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regini.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskcomp.com-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPMGR.EXE	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmInit.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mountvol.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cliconfg.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mode.com-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ndadmin.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MigAutoPlay.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NETSTAT.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\efsui.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wecutil.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\charmap.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\syskey.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\where.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DisplaySwitch.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TSTheme.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DeviceProperties.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll32.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\WinMail.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891\WSManHTTPConfig.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dxp-deviceexperience_31bf3856ad364e35_6.1.7601.17514_none_a54b31331066c8e2\Dxpserver.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_7df14b591094e7ec\TsUsbRedirectionGroupPolicyControl.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-s..csengine-nativehost_31bf3856ad364e35_6.1.7600.16385_none_806f80a8aaa33dd4\sdiagnhost.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-htmlhelp_31bf3856ad364e35_6.1.7600.16385_none_244ae8599e6d81bb\hh.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mspaint_31bf3856ad364e35_6.1.7600.16385_none_ea12784c0842bfc1\mspaint.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_21ceb2d66a98ec2f\mofcomp.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_1c140627131a6df3\mcbuilder.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..native-whitebox-isv_31bf3856ad364e35_6.1.7601.17514_none_eb5947ea4debcf36\RMActivate_isv.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_76de745b101f0148\RegSvcs.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dispdiag_31bf3856ad364e35_6.1.7600.16385_none_a0d95afc49c833b6\dispdiag.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\setup16.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_6d1a8c84bedf66a4\cleanmgr.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_0a3fe92b38dd8c45\RegisterIEPKEYs.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-nslookup_31bf3856ad364e35_6.1.7601.17514_none_cd87dddbc4b4a790\nslookup.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_6.1.7601.17514_none_935e5e07aa28aa00\rdpsign.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_7dfc94f7357c56d2\IEExec.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.7601.17514_none_44aa873ff9136c27\RegisterIEPKEYs.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_4e4eaf05be0c2d8f\charmap.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcxtask_31bf3856ad364e35_6.1.7600.16385_none_b6bc1aae9d0693c5\McxTask.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\poqexec.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_6.1.7600.16385_none_5ec90957e1a8fe95\shutdown.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\SpeechUXWiz.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_2a716ffd9b872f68\whoami.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-ieexec_b03f5f7f11d50a3a_6.1.7600.16385_none_7dfc94f7357c56d2\IEExec.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-icacls_31bf3856ad364e35_6.1.7600.16385_none_328af534074dc6cc\icacls.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018\unlodctr.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\SvcIni.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_934d08d31b96d4ee\sdchange.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-installer-executable_31bf3856ad364e35_6.1.7601.17514_none_4b88deb7e45bfbb0\msiexec.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-control_31bf3856ad364e35_6.1.7600.16385_none_f560eae4c42edb14\control.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\resmon.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\tree.com_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_c0e644688bbad892\sethc.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_064cf7cf249d0026\ComputerDefaults.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89\winload.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..lepc-mobilitycenter_31bf3856ad364e35_6.1.7601.17514_none_b8bffa4921e2a435\mblctr.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_684b2e15d381ea25\regini.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_95f92198f65d354d\driverquery.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shell-previewhost_31bf3856ad364e35_6.1.7601.17514_none_4544cf0e5f20beea\prevhost.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_ce52d479e329be32\whoami.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\ehome\mcupdate.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..player-shellpreview_31bf3856ad364e35_6.1.7600.16385_none_1c92c4d88ce86757\wmprph.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_6.1.7601.17514_none_848b402bf3e1c3b1\wksprt.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_0b2696ec2f3c656d\wusa.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_ba2f56d3c4bcbafb\explorer.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_be8bab32249b2a4e\RegSvcs.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..cationnotifications_31bf3856ad364e35_6.1.7600.16385_none_737951ab23cf8ea0\LocationNotifications.exe-	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpconfig.exe_	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418451285"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000cd4d6aa4620b920e86ca9e72b0d7abc419b1587300b3ed7c88b881685f2eb359000000000e800000000200002000000026d43cb2f5b8354698221721361c72a3bba1859ca57f377c72ec154c39dc9e3520000000adba26e8b03f532f95144cfedb26402e5f8c06a4cadd8931c8fff46721e145014000000088e92c83c956f30b5e30de61dc37a77c5e50a72bbce2f2796230dae89144a92f731ffe7913e125c2b1af0e058fe652491fa756d8b349bf86fbfbdde95cd92d18	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c06967620d87da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000870ac4a46e1ad340b803073551a15300eb1e60cb8ca46e34aeeb33b2290b76c7000000000e80000000020000200000004b86bd149a2a28d842cf41d0404f0beceb39d61856642ce9505760231c9ebecb9000000085225cc1f3b913503f90341d2c22ba57af5f726848dfeea77b9449fd3deee36121c32e8b62891ebcc0e09cbe1b994493e85aeb456c17dcf647b709862dcb57b1d5f743009ec1567a19b98b8d900a0186506575759e143ffebbf4a5bc6a2270a030b7cda83c77b046f522e573e9fbc0efe50732c92fa7953b3211f2b94b6bed9c96e77f469e8f29e88ff4a7efcf955b094000000078dff8e6b57f0b75f82bd67a3e01c899244b017afa6a6d4cf7ed132ad12273db9012245af7ab18361ffc7bd580c0d98504c1c789a5a01f4b57ee38d67903a066	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C3D1151-F300-11EE-AAE3-FED1941498E6} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2448	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2448	IEXPLORE.exe
2448	IEXPLORE.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2448	2160	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2448	2160	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2448	2160	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2448	2160	ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe	28
PID 2448 wrote to memory of 2192	2448	IEXPLORE.exe	29
PID 2448 wrote to memory of 2192	2448	IEXPLORE.exe	29
PID 2448 wrote to memory of 2192	2448	IEXPLORE.exe	29
PID 2448 wrote to memory of 2192	2448	IEXPLORE.exe	29

C:\Users\Admin\AppData\Local\Temp\ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca2dd3823b02716df12227f29dd6aa77_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
343KB

MD5
e594560f2f82ddb90288b59bcccdcb6e

SHA1
5013fbe45e29c44e0281f16a12512c8b31059fef

SHA256
353d51b635dacee964a28d023d30ae071b23719929f587f275285c47effcc2fe

SHA512
da926196bec321c02e6847e78f71f96c4255d51b1d4174306a8d7a8847791b378011e2d5e84a2ed8dd12bd8130b93292dc2ab8281d4138be7d3d625ca2fc82b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59fa46e6fe29a8a826849200241e6084

SHA1
dc5a290a264db7ed66a7997effe821ade7771515

SHA256
054d4e56ff54035fe1195a9e01ac9887406aa3e4d0d877a5de838bf63a322cd0

SHA512
a39718aa1ce7f1d1943f28d5ca824913794414ea5beaafdaade524a5157a5358090b8d8b7589a23b95d34d361623ce2490d3486255cd625a52f69f7b94901c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
831c7a11fe57d693edd2f5796db6c0bb

SHA1
d45c6eaeabaa85d5937b8a9736a24f0901cb8a63

SHA256
6db9384c9e7b1f6ac09f2218defeff722c6975db78d2131a4a1ed7d128d9512b

SHA512
2de3fb18bcc5592218989124aa71bf03f9c7cd1787771bf26e581fb1c29ba22f7ac0f87b1c043989b07e77c20908cfb80e0d1b04f5d11fae7b3869adaa96890a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a2fb53b2c34d301311b4e3af147bcf3

SHA1
8e152608f06f16b47b9da95cb96d922242211f45

SHA256
d69bbca79b754056f8a60b42bfcfd721bd5edbb80a194e50e3b432a9d1604805

SHA512
3a5ca044ac085d19efce75054614728ab09805aa998aefaef24ff6bcc8109bb67ddb7f0a7c7fa85e2334764e2b7d07a4b9ead82333e41a71d5a9775559b493c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c91aba7bb0b9e58601fe71515862e7e

SHA1
4fe78c0d27d67c51fb017dd23b3eec3175c804a6

SHA256
058593fbb762cb23696ffbefe9da7d5cede09ba9d1382b134ac79092ec183c9e

SHA512
08a5e599be8def27a40c96c2b435b7c6a572ecd5bc62b32edc2df5997013dd447ee2f5678badcb948b467779c46ff79d822b9d6a5be8f61dae2e976251d8a74e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6f9e89bbbc2299cc9787427e0c2d57c

SHA1
c7af64d8fb099dfa35a87ed6511d954bff0b2e7d

SHA256
f3c75e9bc567b4d7f34172a3010e2d712ea30592fa7250798d2854005d3d8349

SHA512
d4e11db12c669fc4c9bd9cc7be319d274b53077de8ac6593904eb126a438aa3c2d144fc9c30dd2ae0b10dd9f9ccc13eb8ef18d3f40f0db36b80bd6fd9758ff7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9607f4161cb008a54aebfa56ddce28a8

SHA1
1823dfaad90f4326b32c3b21d4cc3e3ca5038a69

SHA256
58266c76766e802a2255251d4de939ba8ab928de49714e6861d6397e15bcdec1

SHA512
6d160aec1b6cc1facf69cff20bdb0902122877134183c842d41710b1af609a90e46db1e6754375e8ebc0bd4453a79ce449fe541ac8f6359c1ce8696ebb47772a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4a1d44b3a5c66009b6dc28948a81bfe

SHA1
a5b7067cfeb44737c3fdf863ad589632a5e56273

SHA256
12a0ec4defda902338e8a82e1fd0bb0ca8d50029e1138fa89f80778d57ffb077

SHA512
2f105834508cf451dccce4ad5cbd0466668a164db845ecaf023ffbf973ff1771e123a0e5ac6939af49a341dd0cabbc8123183f085f4333619247e79ae1e42c5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
224a84e6bc21d28f4286ee4b20a7a7d6

SHA1
c27f415741f5c07dc9101b1c2248d9a75c68c353

SHA256
5bd911a524dee95e0f40bd4ac706155062cce4471e98ece327abde1f81206808

SHA512
36f359a2588bbb9ae4427365d3864d0b7ab3685231feb47f63342c222250b6b944ba473a82468c6a04cadc37b67a04c779c45369e323f115fa7c989c7b17d610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6007558943321953b49ce3e80fc186e4

SHA1
198f73715549ad9c1e11ca71baa28d2bef7556de

SHA256
7162dcb8a4ded9bcf4ccd95dc5f15e401e1d658bf78bc208648c4df41642e528

SHA512
dd2aa8da6b7ab4d685c402fd536fa4d2248317005a7bc28520c3b4039a856eb887ef71e55b5b8525eae6d9a37369b679ef8bbaaeaf8b70a519334eba704999c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e92c409b578e63fa404256d356e2ec5

SHA1
f7df379c139138dd9dee4518b8eb77df988ea0f1

SHA256
73df6372246cc19bd2d9767e2bbb38f662549a8100166b7059bc5a6a27955e2b

SHA512
2ceea0e533dd207fa9faba2937ce4ee4b122522ce8576c348c4bf4ff2aa8312c759cc3c520cf50fbdb1bbf501afb555068c60f4b9c0b61cc7d7b24820f9e7640

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c80ef3eb963c0997e5684a425ca93b2

SHA1
9a8876295ab004a56ab4c5183515eb7a29c739ad

SHA256
1111713f8b43f7ed607d12957a6ed8f262abd0f5ad1c5c2901c5da456aed1079

SHA512
0347d46096d7db8dafb569cd51642fe9dd56f78d6fe68659173eff2eab594af311771daf9073a61760bf1de3eaa6d5e6b02649daa8971f89ecd790a98c01b2bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
993a6a40a589738efb4a752dad64ed0a

SHA1
783d5eb5f3e3b7d5ed4510d6265b75817c812b8f

SHA256
86bbb28f74a5a7381950b7d3c0776cddb7f35273d727b47b62624277987488cc

SHA512
d3a3b66dbdcb2e87babeadb2c865ee3a49063f6cb5ee109c782432f416e74f43ee07eead7c8a123cd84efb75843ea9f50738d2eef557ada8ad5eae36067ff2eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e890600badad85c808cb1097576820b8

SHA1
f7486cbf09119ff98da94d33148d8460504874be

SHA256
6abe3a5dc6507589907fca89fe0c42d100865faae7e2311481e9d47d78218db2

SHA512
3bf39aa078915c4eb657b081c0dc63c7d1896763fe5c6e11fdc445f292446f45d088637a62fbe16fbaa8ac8bb616c9f22c648fc730e52cb0f54320842a2ede9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72f55da85c93342b74fb8f493556c740

SHA1
c8fc4e9801cc415c56270ec0531cfb8ec966d4f7

SHA256
bc96a2b857e6c5bd240003a80016071acf04c1ea9f1fc7d0b054b4cfb9deeedb

SHA512
d5cc5de9acf471f4f59b4fc5b31bd36cffbdb1948b0bf41198343ce6e2d51285740c19d0f42d3520eb8871686e38570de8cad51f3b318b3e2b70017bb119ad98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d898c282ee404992f06d985c65d4e17

SHA1
ba51d260dc9067dabd631e2958a098e78828e5b2

SHA256
62081f82ba3144e6dc7e345616836a3909bf4ee03aab636f3cc4b71f84ab0aaa

SHA512
76e5e769b144a0626a613896f9f2971f89d07eb414d61f908e0e43007efdf0eb452f2a514a0a2a33a9455c7a80f3186a057744bc50a86ff4918ba7896e082ac6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae369a53d0d086238644d717aff7bc1e

SHA1
b4aeb68a1eaf13229210454aa2d3060a8b52fe4c

SHA256
17e76d636d0b0335c03c0f4771f3314c4fc6723595bbfd6252c0fcaad2df9ddc

SHA512
fa6794eb41a84aae8182ab39afea1238a5b92ed3e31df6776c53ccab0b8e665898be0b020c0717e15c082b8fa6f9c5599ae99adc292da8197529c31a65eafff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15d67b769b1d7964af264912d2e2e7fb

SHA1
6d3fd5ac857d41c3338fb11a4c54f3d60cf39dd3

SHA256
5a40453d9c33ac8eb6167e31b30e124410764d612d9f74e2d2c2a4ae71b47681

SHA512
befd35a3b6208e40fcc301a58c8c67cfa57b1d8f655af1d4c4bebffda3eb12ac026698a652bc0d2fb13e01a6be244790112a8c6b26119e218ce471c006fc33d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32275d0688b409059e3690293ad78655

SHA1
c5ae51e59cd8ed8439c9e9e588a7f37e7e75ac07

SHA256
cb1cbed4458076b6804ca11229264b773eda69393e30fc5f62cd59b08f830daa

SHA512
90418c7e6bc22e10eab2fb20ad034d275d4c6728712fe9c1f201595ae58d51f43db569cfba7c8bf658889165386c3b736f355660d0a61fdba300a450a9c34121

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab362E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab36FD.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3712.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads