e64c44186ebe9b3ccebb55b94b83e0074347d29d5b3fff36c7f17fa40e40d9ed

Analysis

max time kernel
97s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
Size

173KB
MD5

fb749b67e3b3e6bfdc9cb2467a2c9acb
SHA1

13748074e2b2386de82cfb967487cee2d82a2908
SHA256

e64c44186ebe9b3ccebb55b94b83e0074347d29d5b3fff36c7f17fa40e40d9ed
SHA512

847d724a8a9584f0a7fac2199b9d67acdee97a6a7432b7091f0468cf3d047029172089f9fbe2a23579dd0914bbdb94eb72db43f25bf007759e8073652a38e238
SSDEEP

3072:fhpZNAUncfuKz/Vy3ApP1pqvpkBrMxPSrCHw9SI+VFZfOVmehXvSRkRehfoebNZ:fhzNAZPNBpPnypxNArZSnhAM

Score

7^/10

discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

mscorsvw.exemscorsvw.exeOSE.EXE

pid process

2532 mscorsvw.exe
2568 mscorsvw.exe
2892 OSE.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2532	mscorsvw.exe
2568	mscorsvw.exe
2892	OSE.EXE

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/856-0-0x0000000001000000-0x0000000001069000-memory.dmp	upx
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	upx
behavioral1/memory/2532-11-0x0000000010000000-0x0000000010070000-memory.dmp	upx
behavioral1/memory/2568-22-0x0000000000400000-0x0000000000479000-memory.dmp	upx
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	upx
behavioral1/memory/2532-28-0x0000000010000000-0x0000000010070000-memory.dmp	upx
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	upx
behavioral1/memory/2892-42-0x000000002E000000-0x000000002E086000-memory.dmp	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir	upx
\??\c:\windows\SysWOW64\svchost.exe	upx
\??\c:\program files (x86)\microsoft office\office14\groove.exe	upx
\??\c:\windows\SysWOW64\searchindexer.exe	upx
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

OSE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-330940541-141609230-1670313778-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-330940541-141609230-1670313778-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OSE.EXEfb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\E:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\H:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\T:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\V:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\N:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\O:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\P:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\R:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\J:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\K:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\S:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\W:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\Z:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\M:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\I:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\U:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\X:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\Y:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\G:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\Q:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\L:	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened (read-only)	\??\T:	OSE.EXE

Drops file in System32 directory 36 IoCs

Processes:

fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exeOSE.EXE

description	ioc	process
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE

Drops file in Program Files directory 59 IoCs

Processes:

fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exeOSE.EXE

description	ioc	process
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	OSE.EXE
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

Processes:

mscorsvw.exedllhost.exeOSE.EXEfb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5DB92D22-F4D6-4687-81E8-74DFFB103164}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5DB92D22-F4D6-4687-81E8-74DFFB103164}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

OSE.EXE

pid	process
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE
2892	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exemsiexec.exeOSE.EXE

description	pid	process
Token: SeTakeOwnershipPrivilege	856	fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
Token: SeRestorePrivilege	2440	msiexec.exe
Token: SeTakeOwnershipPrivilege	2440	msiexec.exe
Token: SeSecurityPrivilege	2440	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir
Filesize
284KB

MD5
7ffeb68eb174c10b3f48898548a2f2a0

SHA1
6a02857cd6c936fe1566969450996e8d2d6af707

SHA256
9f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269

SHA512
3a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
Filesize
1.2MB

MD5
81c19480abd4ea36763852ec1ee742d4

SHA1
5b9469f27c40c96d6a74de59ed6c4eafcaa1a08a

SHA256
bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd

SHA512
3b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
284KB

MD5
3defb5b8b9ed4bf769b3588a9704e265

SHA1
3f4efef36e2dcd5b951ae5e3e326a66a8f4104d7

SHA256
14a30ae50d0d6608e08c93614cd4f8fd30b34e462bcc63176b1d3f9743fcc786

SHA512
7f8570f5084472778df1c55116e79f47a5011448771fa47902a855960d0889370bb50e2140fe34a4de7e7b6b0f433b8b2f67a36437b56745e5054f1f2884acf1

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Filesize
203KB

MD5
e73e9a9ded77ee2133e482b1d871c759

SHA1
3797296cb892d7b8aa404b6085f42cdf26e6897e

SHA256
163eea33c1c12a523e2a299bd40e1694e3a88e2bde5b628297202d0ded2c18b1

SHA512
7511fa6e8b3d92ae4aa219a68dbfdddc49429f216ff480490d01feab3b9624b8acece54bfe4657471236541c35b0e2df7d7f1dc86198f3999b1a70db08b7f000

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
Filesize
1003KB

MD5
dbfd03d2482bbcb0daedc6b3ef1d9bf6

SHA1
013ac923daf4fa9def9356a135a41fe6701ae41d

SHA256
042c5fd2f3f53d9e06e43247b5896143b1f00160af12cc38deeace4fe9974f25

SHA512
bde889a74083528df10322381a12ac858027ba8d2775d3829a50085ce3283136ec046ff14062fc49b7da2dfe591c035950d85c8c3354ccf6450d872cecc66eaa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Filesize
234KB

MD5
40661e382d722e14e4f91d63e8f251f3

SHA1
b44fa16d4213591cea1f9365e92a20a6d1658096

SHA256
75b4efc59c848770f1e91f6326612618cc8333bf6981c45040aab260676424cb

SHA512
7f947fbb5bf98c99ea799d23af2e6985d849a95fb0885db2c629a29cb0304db6f17a767df398f004fc578c38728bb518cde1561d66a68810d6c220e4301b7158

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe
Filesize
29.7MB

MD5
aded9254ac7f0cbf3b9489f50d01dcb4

SHA1
0d86c664a70b38989cb28f8ff51e663837904cfa

SHA256
ef2fd3f07ca207272ac7ac5fb4edcaf82f59d3c43f4419b1428bb94068361409

SHA512
0c301ecd54d20bde64cb721fc27d5156a7754cbc6a6d4552966dafa7518248196d22364633cb8ba4a11ac043eac81259a0694d9fc31db80b06151c60181eab4f

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe
Filesize
562KB

MD5
47bbce2e5948c054237d0911ce5caea6

SHA1
e21047574c35666f4a6e928280d602611f6549e9

SHA256
57b7cbaccf4de610312eb46c011e50500f15236176fcdeae5120c690d1f45b48

SHA512
36d12c4dc49615427034ea290d9826aee8fb6a6fc5363329d2f90c8ab347293a02638617b498c6ee05798460d318ee38ae78772f76feaf25a6bc1c451bf4a986

Download Submit
\??\c:\windows\SysWOW64\svchost.exe
Filesize
164KB

MD5
47c7f11ad5651fd51572ae361c58d387

SHA1
f29513531051454fd71bd601b1b0900cb9621d4e

SHA256
adb11e2ab43089c9894e0ebabafec21ca09c30cdd487c8b74b563805184fd1b2

SHA512
e211d2a99a4e8cbed8601fad2cb05e57203374a314c4566a0221d80df8e283097e86c91d242fa65c8b8cad1026da2b0c42698c14a69fed991133959008eb4482

Download Submit
memory/856-0-0x0000000001000000-0x0000000001069000-memory.dmp

Filesize
420KB

Download
memory/2532-28-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2532-11-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2568-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2892-42-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads