Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:42
Static task
static1
Behavioral task
behavioral1
Sample
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe
-
Size
444KB
-
MD5
e5b5eb1e61978a8f757c7011f5949959
-
SHA1
7203c7048d1e3e4556fd3c45f53a7edf91ba34d9
-
SHA256
6bd8dfbc8c83fee901bf74160ed87fd28ace9d358982634287d199b550e31edd
-
SHA512
c7c3b4392108fd2379534a93eaf30f74a5a89d230d19c255e8f0911c6bf1c8ecbf787bc406a481692f6c9e47550505e451baebaebed548e2803e2ad1631cf0ab
-
SSDEEP
6144:nttttVkssroWoQTX5pS9t7RyBTBZEbv5QttttVkssroWoQTX5pS9t7RyB6:lkss8WBTGv5ekss8WB6
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\help.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\isoburn.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\compact.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dialer.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\print.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wiaacmgr.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\hh.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PATHPING.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\poqexec.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\driverquery.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\makecab.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mountvol.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\OptionalFeatures.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wecutil.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WPDShextAutoplay.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\convert.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\recover.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\timeout.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cmdkey.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\label.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SearchFilterHost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\write.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dcomcnfg.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\net1.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\proquota.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\RMActivate.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tracerpt.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\TCPSVCS.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\com\MigRegDB.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\choice.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cleanmgr.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\mfpmp.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ROUTE.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sethc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\drvinst.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\icardagt.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PresentationHost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\DisplaySwitch.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\perfhost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\where.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\RegisterIEPKEYs.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\regsvr32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\systray.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\UserAccountControlSettings.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\xwizard.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Windows Media Player\wmpenc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Google\Chrome\Application\chrome.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\7-Zip\7zG.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\orbd.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Java\jre7\bin\unpack200.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\winsxs\Backup\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7_dnscacheugc.exe_aa32623e e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_infocard_b77a5c561934e089_6.1.7601.17514_none_583a8c60c0b305a1\infocard.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_441a424cd5cda219\autofmt.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnscacheugc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PING.EXE e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-setx_31bf3856ad364e35_6.1.7600.16385_none_086bc77632c16995\setx.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\shrpubw.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\SpeechUXWiz.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7601.17514_none_a505d556c9de886a\rstrui.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\mfpmp.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-regsvr32_31bf3856ad364e35_6.1.7600.16385_none_d44c0ef849349ed9\regsvr32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..vironment-servicing_31bf3856ad364e35_6.1.7601.17514_none_843a86a1bc33fcd1\bfsvc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_db2b15bfcf64f104\iexpress.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..erinboxgames-spades_31bf3856ad364e35_6.1.7600.16385_none_6fa6d7361acba514\shvlzm.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ShapeCollector.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8_expand.exe_f43b24c8 e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-forfiles_31bf3856ad364e35_6.1.7600.16385_none_b1186146f739d0f1\forfiles.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-rpc-locator_31bf3856ad364e35_6.1.7600.16385_none_2b2984d40648fbe7\Locator.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-waitfor_31bf3856ad364e35_6.1.7600.16385_none_125aa78894e49f8f\waitfor.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29 e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\reset.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-session0viewer_31bf3856ad364e35_6.1.7600.16385_none_3ddbd9a9605f0519_ui0detect.exe_639495e3 e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_a45d44bd1a0af822\cscript.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-soundrecorder_31bf3856ad364e35_6.1.7601.17514_none_fd2f4b124982e400\SoundRecorder.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_9cef76e6ecab612f\SystemPropertiesHardware.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_6.1.7600.16385_none_63dee2821fc69fce_bridgeunattend.exe_60b7e340 e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7600.16385_none_082f99a432e2a661_smss.exe_d7209c3a e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe$ e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\plasrv.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrm.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_6.1.7600.16385_none_d0632cbfee5db937\sc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_94861149bb66249c\powershell_ise.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigSetup.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-security-tools-setspn_31bf3856ad364e35_6.1.7600.16385_none_dbfa9310f7d4d925\setspn.exe e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
NTFS ADS 1 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exepid process 2268 e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e5b5eb1e61978a8f757c7011f5949959_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
888KB
MD58782d0a789c88bf6c3dba1ff251f1c29
SHA13e895d543c6124e280285282fb4f80804babd015
SHA256d6d6a2c96e6d92c0a4d9fbb3dae2eeacd02bdfbc30a0991000c9f7683b90c216
SHA51212ee7138c9466da6b4738c7d3f9e946f4288eb85a1fe90f89cf784a62a6b1e9b72e91ce104ce7b29df95a561e2694c4b59cc3c772b79bf4e95221066bcfe49d8