Analysis
-
max time kernel
97s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 23:57
Behavioral task
behavioral1
Sample
fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe
-
Size
173KB
-
MD5
fb749b67e3b3e6bfdc9cb2467a2c9acb
-
SHA1
13748074e2b2386de82cfb967487cee2d82a2908
-
SHA256
e64c44186ebe9b3ccebb55b94b83e0074347d29d5b3fff36c7f17fa40e40d9ed
-
SHA512
847d724a8a9584f0a7fac2199b9d67acdee97a6a7432b7091f0468cf3d047029172089f9fbe2a23579dd0914bbdb94eb72db43f25bf007759e8073652a38e238
-
SSDEEP
3072:fhpZNAUncfuKz/Vy3ApP1pqvpkBrMxPSrCHw9SI+VFZfOVmehXvSRkRehfoebNZ:fhzNAZPNBpPnypxNArZSnhAM
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
mscorsvw.exemscorsvw.exeOSE.EXEpid process 2532 mscorsvw.exe 2568 mscorsvw.exe 2892 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/856-0-0x0000000001000000-0x0000000001069000-memory.dmp upx C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe upx behavioral1/memory/2532-11-0x0000000010000000-0x0000000010070000-memory.dmp upx behavioral1/memory/2568-22-0x0000000000400000-0x0000000000479000-memory.dmp upx C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe upx behavioral1/memory/2532-28-0x0000000010000000-0x0000000010070000-memory.dmp upx C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE upx behavioral1/memory/2892-42-0x000000002E000000-0x000000002E086000-memory.dmp upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir upx \??\c:\windows\SysWOW64\svchost.exe upx \??\c:\program files (x86)\microsoft office\office14\groove.exe upx \??\c:\windows\SysWOW64\searchindexer.exe upx C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe upx -
Processes:
OSE.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-330940541-141609230-1670313778-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-330940541-141609230-1670313778-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
OSE.EXEfb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exedescription ioc process File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\E: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\H: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\T: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\V: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\N: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\O: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\P: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\R: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\J: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\K: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\S: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\W: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\Z: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\M: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\I: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\U: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\X: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\Y: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\G: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\Q: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\L: fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened (read-only) \??\T: OSE.EXE -
Drops file in System32 directory 36 IoCs
Processes:
fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exeOSE.EXEdescription ioc process File opened for modification \??\c:\windows\syswow64\perfhost.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\locator.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\dllhost.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\searchindexer.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File created \??\c:\windows\SysWOW64\svchost.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\dllhost.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe OSE.EXE -
Drops file in Program Files directory 59 IoCs
Processes:
fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exeOSE.EXEdescription ioc process File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification C:\Program Files\7-Zip\7zFM.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe OSE.EXE File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created \??\c:\program files (x86)\microsoft office\office14\groove.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File created C:\Program Files\7-Zip\Uninstall.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe -
Drops file in Windows directory 27 IoCs
Processes:
mscorsvw.exedllhost.exeOSE.EXEfb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5DB92D22-F4D6-4687-81E8-74DFFB103164}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{5DB92D22-F4D6-4687-81E8-74DFFB103164}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
OSE.EXEpid process 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE 2892 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exemsiexec.exeOSE.EXEdescription pid process Token: SeTakeOwnershipPrivilege 856 fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe Token: SeRestorePrivilege 2440 msiexec.exe Token: SeTakeOwnershipPrivilege 2440 msiexec.exe Token: SeSecurityPrivilege 2440 msiexec.exe Token: SeTakeOwnershipPrivilege 2892 OSE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb749b67e3b3e6bfdc9cb2467a2c9acb_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.virFilesize
284KB
MD57ffeb68eb174c10b3f48898548a2f2a0
SHA16a02857cd6c936fe1566969450996e8d2d6af707
SHA2569f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269
SHA5123a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exeFilesize
1.2MB
MD581c19480abd4ea36763852ec1ee742d4
SHA15b9469f27c40c96d6a74de59ed6c4eafcaa1a08a
SHA256bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd
SHA5123b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEFilesize
284KB
MD53defb5b8b9ed4bf769b3588a9704e265
SHA13f4efef36e2dcd5b951ae5e3e326a66a8f4104d7
SHA25614a30ae50d0d6608e08c93614cd4f8fd30b34e462bcc63176b1d3f9743fcc786
SHA5127f8570f5084472778df1c55116e79f47a5011448771fa47902a855960d0889370bb50e2140fe34a4de7e7b6b0f433b8b2f67a36437b56745e5054f1f2884acf1
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeFilesize
203KB
MD5e73e9a9ded77ee2133e482b1d871c759
SHA13797296cb892d7b8aa404b6085f42cdf26e6897e
SHA256163eea33c1c12a523e2a299bd40e1694e3a88e2bde5b628297202d0ded2c18b1
SHA5127511fa6e8b3d92ae4aa219a68dbfdddc49429f216ff480490d01feab3b9624b8acece54bfe4657471236541c35b0e2df7d7f1dc86198f3999b1a70db08b7f000
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.logFilesize
1003KB
MD5dbfd03d2482bbcb0daedc6b3ef1d9bf6
SHA1013ac923daf4fa9def9356a135a41fe6701ae41d
SHA256042c5fd2f3f53d9e06e43247b5896143b1f00160af12cc38deeace4fe9974f25
SHA512bde889a74083528df10322381a12ac858027ba8d2775d3829a50085ce3283136ec046ff14062fc49b7da2dfe591c035950d85c8c3354ccf6450d872cecc66eaa
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFilesize
234KB
MD540661e382d722e14e4f91d63e8f251f3
SHA1b44fa16d4213591cea1f9365e92a20a6d1658096
SHA25675b4efc59c848770f1e91f6326612618cc8333bf6981c45040aab260676424cb
SHA5127f947fbb5bf98c99ea799d23af2e6985d849a95fb0885db2c629a29cb0304db6f17a767df398f004fc578c38728bb518cde1561d66a68810d6c220e4301b7158
-
\??\c:\program files (x86)\microsoft office\office14\groove.exeFilesize
29.7MB
MD5aded9254ac7f0cbf3b9489f50d01dcb4
SHA10d86c664a70b38989cb28f8ff51e663837904cfa
SHA256ef2fd3f07ca207272ac7ac5fb4edcaf82f59d3c43f4419b1428bb94068361409
SHA5120c301ecd54d20bde64cb721fc27d5156a7754cbc6a6d4552966dafa7518248196d22364633cb8ba4a11ac043eac81259a0694d9fc31db80b06151c60181eab4f
-
\??\c:\windows\SysWOW64\searchindexer.exeFilesize
562KB
MD547bbce2e5948c054237d0911ce5caea6
SHA1e21047574c35666f4a6e928280d602611f6549e9
SHA25657b7cbaccf4de610312eb46c011e50500f15236176fcdeae5120c690d1f45b48
SHA51236d12c4dc49615427034ea290d9826aee8fb6a6fc5363329d2f90c8ab347293a02638617b498c6ee05798460d318ee38ae78772f76feaf25a6bc1c451bf4a986
-
\??\c:\windows\SysWOW64\svchost.exeFilesize
164KB
MD547c7f11ad5651fd51572ae361c58d387
SHA1f29513531051454fd71bd601b1b0900cb9621d4e
SHA256adb11e2ab43089c9894e0ebabafec21ca09c30cdd487c8b74b563805184fd1b2
SHA512e211d2a99a4e8cbed8601fad2cb05e57203374a314c4566a0221d80df8e283097e86c91d242fa65c8b8cad1026da2b0c42698c14a69fed991133959008eb4482
-
memory/856-0-0x0000000001000000-0x0000000001069000-memory.dmpFilesize
420KB
-
memory/2532-28-0x0000000010000000-0x0000000010070000-memory.dmpFilesize
448KB
-
memory/2532-11-0x0000000010000000-0x0000000010070000-memory.dmpFilesize
448KB
-
memory/2568-22-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2892-42-0x000000002E000000-0x000000002E086000-memory.dmpFilesize
536KB