Malware Analysis Report

2024-11-15 06:06

Sample ID 240407-x9xwyscd6w
Target e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118
SHA256 cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861

Threat Level: Shows suspicious behavior

The file e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: RenamesItself

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:33

Reported

2024-04-07 19:36

Platform

win7-20240221-en

Max time kernel

106s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\UsaShohdi.asu C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\UsaShohdi.asu C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\jp2launcher.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\crashreporter.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\VideoLAN\VLC\vlc.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\chrome_proxy.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\Hearts.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\WINWORD.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"

Network

N/A

Files

C:\Windows\SysWOW64\UsaShohdi.asu

MD5 e5b1ec014b853bea797f34ed9eaa680f
SHA1 dee54124b5f1f632b83004b95cbb6652917a90ae
SHA256 cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861
SHA512 3e505ee43cc190901f2a0734d6593aace8af5d65e53f08d2c2ed451cfc8668f6c27d24a8f4dea55856541678994e1a45742fdf2e8a018b4272d4666d85257e94

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe

MD5 b5a40d96208da1cbee98c752dd3719c2
SHA1 2588a0e75a68767d8980319af2d3731af0d529a9
SHA256 24c48661107b0b81b9f4307fdb562e9b792148ef8a12c445799cb943b7e3c6ab
SHA512 c013bc0b830a99ba0400d1354ce98cd3b50e10315269792189a677ec4582e1c8992bf2eac06e740dfc9dac80aefd15cbd059963aff21f524078e669ee6040c0f

C:\Users\Admin\AppData\Local\Temp\ose00000.exe

MD5 cf38a53575e37be928223bbecabbed3b
SHA1 583c8a605c5936cab22ce10501f26d2e11faefa9
SHA256 849c8389d8a65a79f2941ad0be86d26728c8fa97009368285389916bff6071c6
SHA512 e21784bbcb4779cdea417a570cbf5bbf99de1f6a059e4f239448940be5c52384792662578e25a03196043535a8241e5a74b2456f6b1ab066eb1a742451527848

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:33

Reported

2024-04-07 19:36

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\UsaShohdi.asu C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\UsaShohdi.asu C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\misc.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Java\Java Update\jucheck.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\WORDICON.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\uninstall\helper.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Java\Java Update\jusched.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateSetup.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msoasb.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.17\MicrosoftEdgeUpdateSetup_X86_1.3.185.17.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SETLANG.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javaw.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\msotd.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSYNC.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File created \??\c:\Program Files\Mozilla Firefox\plugin-container.exe C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.usa C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

C:\Windows\SysWOW64\UsaShohdi.asu

MD5 e5b1ec014b853bea797f34ed9eaa680f
SHA1 dee54124b5f1f632b83004b95cbb6652917a90ae
SHA256 cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861
SHA512 3e505ee43cc190901f2a0734d6593aace8af5d65e53f08d2c2ed451cfc8668f6c27d24a8f4dea55856541678994e1a45742fdf2e8a018b4272d4666d85257e94