Analysis Overview
SHA256
cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861
Threat Level: Shows suspicious behavior
The file e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: RenamesItself
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:33
Reported
2024-04-07 19:36
Platform
win7-20240221-en
Max time kernel
106s
Max time network
20s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\UsaShohdi.asu | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\UsaShohdi.asu | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\7-Zip\7zG.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jre7\bin\jp2launcher.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zFM.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\misc.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Games\Hearts\Hearts.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\FreeCell\FreeCell.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\VideoLAN\VLC\vlc.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\chrome_proxy.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\Hearts\Hearts.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\WINWORD.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft Office\Office14\SCANPST.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"
Network
Files
C:\Windows\SysWOW64\UsaShohdi.asu
| MD5 | e5b1ec014b853bea797f34ed9eaa680f |
| SHA1 | dee54124b5f1f632b83004b95cbb6652917a90ae |
| SHA256 | cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861 |
| SHA512 | 3e505ee43cc190901f2a0734d6593aace8af5d65e53f08d2c2ed451cfc8668f6c27d24a8f4dea55856541678994e1a45742fdf2e8a018b4272d4666d85257e94 |
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe
| MD5 | b5a40d96208da1cbee98c752dd3719c2 |
| SHA1 | 2588a0e75a68767d8980319af2d3731af0d529a9 |
| SHA256 | 24c48661107b0b81b9f4307fdb562e9b792148ef8a12c445799cb943b7e3c6ab |
| SHA512 | c013bc0b830a99ba0400d1354ce98cd3b50e10315269792189a677ec4582e1c8992bf2eac06e740dfc9dac80aefd15cbd059963aff21f524078e669ee6040c0f |
C:\Users\Admin\AppData\Local\Temp\ose00000.exe
| MD5 | cf38a53575e37be928223bbecabbed3b |
| SHA1 | 583c8a605c5936cab22ce10501f26d2e11faefa9 |
| SHA256 | 849c8389d8a65a79f2941ad0be86d26728c8fa97009368285389916bff6071c6 |
| SHA512 | e21784bbcb4779cdea417a570cbf5bbf99de1f6a059e4f239448940be5c52384792662578e25a03196043535a8241e5a74b2456f6b1ab066eb1a742451527848 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:33
Reported
2024-04-07 19:36
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
93s
Command Line
Signatures
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\UsaShohdi.asu | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\UsaShohdi.asu | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\Java\Java Update\jucheck.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\WORDICON.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\uninstall\helper.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\Java\Java Update\jusched.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateSetup.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Java\jdk-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\msoasb.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.17\MicrosoftEdgeUpdateSetup_X86_1.3.185.17.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\SETLANG.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\Wordconv.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\Uninstall.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Google\Chrome\Application\chrome.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Java\jdk-1.8\bin\javaw.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Microsoft Office\root\Office16\msotd.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\plugin-container.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\MSOSYNC.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File created | \??\c:\Program Files\Mozilla Firefox\plugin-container.exe | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.usa | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5b1ec014b853bea797f34ed9eaa680f_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\UsaShohdi.asu
| MD5 | e5b1ec014b853bea797f34ed9eaa680f |
| SHA1 | dee54124b5f1f632b83004b95cbb6652917a90ae |
| SHA256 | cb4416579b2cb0852226a59d6c7634531c901fea04ad61dc0df49e290d26e861 |
| SHA512 | 3e505ee43cc190901f2a0734d6593aace8af5d65e53f08d2c2ed451cfc8668f6c27d24a8f4dea55856541678994e1a45742fdf2e8a018b4272d4666d85257e94 |