236331819ef7fe66218b6915197d68e70627e0bca870c9a81bdcc4d62d6d1c0a

Analysis

max time kernel
157s
max time network
165s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
Size

52KB
MD5

f9c922fca988830388702e184d8673d5
SHA1

02c777729365f53c86a1a1baedc7733913bd7817
SHA256

236331819ef7fe66218b6915197d68e70627e0bca870c9a81bdcc4d62d6d1c0a
SHA512

22e97cdebb6892fa170af0629fd7bb6c2cd9f6dd7a9b1f327798bb8ac1a018f09d4a0017658a117b6b1e9c6b3c3cfd869ce63d5af9279699d03be8848c63d836
SSDEEP

768:kXVLeWYvwFJnmZpaKwVohZjczS2GqYNyvj7JD7lAdyljampBbgpQ:5zwFJnmZp2MZjhHKUdef

Score

6^/10

collection discovery

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808ea48c2992da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0A3C061-FE1C-11EE-8C0A-EA483E0BCDAF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c2306770000000002000000000010660000000100002000000011177c3fdcc525fe974e2bb84943957f4dc2431856c5c09d6fde81ec48e52146000000000e800000000200002000000058b75c9242e1e6ce880452a1b525d2d56784aa961eb96f5167850f4b7d6258a4200000002a9720fbe4e84c891982adbb865d1504dd323c8f5fbedcaf0bbf6ca3b87d1a7b4000000036ed5d24dc1ca92d0ca92afc45cfe6f9ddc4c86574deb450680288dd1c6c65d15ace846dd23f5423015a0ed923a965987e1e9482d7d2f25f086526bacd5bec21	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

pid	process
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2604 f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2524 iexplore.exe
1548 iexplore.exe
1560 iexplore.exe
2468 iexplore.exe
1364 iexplore.exe
2052 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2604	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
2524	iexplore.exe
2524	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
1548	iexplore.exe
1548	iexplore.exe
2020	IEXPLORE.EXE
2020	IEXPLORE.EXE
1560	iexplore.exe
1560	iexplore.exe
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2468	iexplore.exe
2468	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
1364	iexplore.exe
1364	iexplore.exe
1064	IEXPLORE.EXE
1064	IEXPLORE.EXE
2052	iexplore.exe
2052	iexplore.exe
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2524 wrote to memory of 2672	2524	iexplore.exe	IEXPLORE.EXE
PID 2524 wrote to memory of 2672	2524	iexplore.exe	IEXPLORE.EXE
PID 2524 wrote to memory of 2672	2524	iexplore.exe	IEXPLORE.EXE
PID 2524 wrote to memory of 2672	2524	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2020	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2020	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2020	1548	iexplore.exe	IEXPLORE.EXE
PID 1548 wrote to memory of 2020	1548	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1924	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1924	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1924	1560	iexplore.exe	IEXPLORE.EXE
PID 1560 wrote to memory of 1924	1560	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2856	2468	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2856	2468	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2856	2468	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2856	2468	iexplore.exe	IEXPLORE.EXE
PID 1364 wrote to memory of 1064	1364	iexplore.exe	IEXPLORE.EXE
PID 1364 wrote to memory of 1064	1364	iexplore.exe	IEXPLORE.EXE
PID 1364 wrote to memory of 1064	1364	iexplore.exe	IEXPLORE.EXE
PID 1364 wrote to memory of 1064	1364	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2280	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2280	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2280	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2280	2052	iexplore.exe	IEXPLORE.EXE

outlook_win_path 1 IoCs

Processes:

f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	f9c922fca988830388702e184d8673d5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f9c922fca988830388702e184d8673d5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9c922fca988830388702e184d8673d5_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1364 CREDAT:275457 /prefetch:2
2⤵
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d9e718cad50006b0dd4fa0ec1ce87c18

SHA1
b6d80f4f9883dd75f3dc259d91f2fc385a67f65e

SHA256
a9c0b04f57561a5a3e0d116f0986f1ec07b57aa0ce72c356a364bc6a5b3be227

SHA512
1ae980bc8ede60daaf678763007cd118a3da44cc0bf700c71c58edd5152dfd4a5f4185a71436be4e23739d63b7294db64c47b3478d8ffd6a612f0e534f21138f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
deb5741ca5bfdf4434cd542b70ab001f

SHA1
d2aebdcb743df54477ca7cc07d029cd935e81471

SHA256
b110988ff2e3064b4276b5edcdc38054409d45d10db4ac21622f23c989930720

SHA512
5ee68ecc71dcb3e95fef98d85fc53d661a133ba33ef61878741187b48b68d3eea070d629ff20b2319a2f35095cf33b23f841a81ed25e5195a8dd35905a4d302b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
30df84621a0fb7a8642aa8a1f13c73ef

SHA1
dd5cc463b339b41a81098279616584c4ba0d77df

SHA256
f50e6f892e0e41a4840da52e3b0a8051e616797c027f3d712426ef4253c064c6

SHA512
772d48b087432bb8fac271e9c53698b387cc97694c17bd0754983b933b05461552b4fb07b7bd52bd6175dddea0774bf5da8b80bb86394dbb2c201a1892e532d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
57ec294d896525cdf0a03535069fe94f

SHA1
05e43ea6a4c1d8b6ee079c398ce68132db26a7a6

SHA256
6a890ff80dfe7b8f104889ce7a0007cdd6fc5214f095831397a13d20da956f20

SHA512
eed01dcb863a6c273492a2b4e84d910f0ddc04e2a1dfc8fe54607943e4e2265045127a111239c1cad319b434ad0ad7e50f0e508e9ed51a72cda6eb7079b9d290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
704051d3114f7b290e1c4bac09644b7e

SHA1
185b13b15f40e8b21b18f2d231e94d3f27e648a5

SHA256
8f67f0d5bf10edda742020c1b8eb4c3a32b8fa44b389f1e05c3e6d265c1011c5

SHA512
68e854888be95f47a9deb78a8631ca52d89403da5e5441682fd9c5edf8f27f16eeed875d7c3fd15a7270ccd110b3b5b21d0d7e5f8ca3486fcb48331b8eeebf4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3e6d8f937a13b6681f42e472b8c4ab9a

SHA1
06a2f8d95902f85f60487024b99036efa3584e9b

SHA256
f80f746fce893225b123655147028e41241e83eaa33ea703a21f8384c1cec529

SHA512
2f1c7a953d80c773a8ae3164320394e3f581e3f8066827eb67b92050f9ef28aced1e8e8eba825117ecd0c5aed1e291b215ebf632ff67df95e3d241d4a059fc2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7c298b9c2bd8a7ab19f1e4519b9612f5

SHA1
f8f3f2b63980bda485170ef8caeb2623c718eb5a

SHA256
c23f299d1c8accdfad28a89ab0c7628817176a3f7538a2838ed3ab2238863ba7

SHA512
ae604d357fdc7cd2ff078b8dd315c3534c5975ac359a00b054828094f16b6adf9a0ff78a0f46bca4e816cacda7725dd996b8a7e07b806d8732c456b8dc9ccc58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
84ab616a0f8126bcbecac020dda9e18d

SHA1
6817268a2d03d4f7b053d3d2ea34fbc208ff7628

SHA256
54d8aabdec5cc54a1a5716853ba7b6836f5ccfbf7231d00d3f24f70c4ec12ac8

SHA512
9041510a3a2e3c1dd2ac551f101412b1c55896eaf93a8aeb9d5ab58e06a4eae7ce5523f78824a835304ae24f81f0d23e0aa15b293fd83ffcb134214e630edb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\bullet[1]
Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\http_404[1]
Filesize
6KB

MD5
f65c729dc2d457b7a1093813f1253192

SHA1
5006c9b50108cf582be308411b157574e5a893fc

SHA256
b82bfb6fa37fd5d56ac7c00536f150c0f244c81f1fc2d4fefbbdc5e175c71b4f

SHA512
717aff18f105f342103d36270d642cc17bd9921ff0dbc87e3e3c2d897f490f4ecfab29cf998d6d99c4951c3eabb356fe759c3483a33704ce9fcc1f546ebcbbc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\httpErrorPagesScripts[2]
Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\info_48[1]
Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IT88KKGO\background_gradient[1]
Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IT88KKGO\errorPageStrings[1]
Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\ErrorPageTemplate[1]
Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\down[1]
Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC813.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8B6.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFBA495EFFC6186E9A.TMP
Filesize
16KB

MD5
c3272d5a61491aa1b371672358e03d0c

SHA1
74410f75e96f9736e5d368c42dc915b3276d1b5c

SHA256
5d00dd31cc468a5433a17d2532ddacc9de0327ccaacba3f9b8da6caa61041203

SHA512
72e7dab5266a5c25c59e3fa2408735affb675723223e2c8c24d6024552f73523fcaa87cc8e48057ace32552cf3dac08ee263af21dc42b57f28a65c95e3b202cc

Download Submit
memory/2604-0-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download