f75b7535365c80c14523f074f5007fc6769e0453562d369362dff9c7e52874e5

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
Size

11KB
MD5

fbcff06b38e4ac7bcb904bdad1f9bdb9
SHA1

b4844e4398344a035507bb085353d8cce62739cd
SHA256

f75b7535365c80c14523f074f5007fc6769e0453562d369362dff9c7e52874e5
SHA512

29399e1558e4cffc128b38ba87d39d82184a971c4ab4baefc5ce452d9e03ce8f8515e9b41dc1038df65c11bbaec08200da42dfdc631820a1ea945b2ec4959a1d
SSDEEP

192:S06iazzoKkrt/F53lGHuL3/E/GCizES4TN/o/04qcB6bdhSz46OXddIxa4sy6kp:S06ih3t/rgOL3/EZiw5o0AadUz46OXdg

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Modifies Installed Components in the registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\ = "ÏµÍ³ÉèÖÃ"	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath = "%SystemRoot%\\system32\\exloroe.exe"	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0001000000000027-8.dat	upx
behavioral1/memory/2192-383-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2192-3723-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\Amd64\IF2550B.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\prnso002.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\wcnwiz.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\upnp.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\1394.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Qutil.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\EP0LB030.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0012\_setup.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sr-Latn-CS\comdlg32.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\WinSyncMetastore.rll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migration\en-US\SxsMigPlugin.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ1600.CFG	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\prnkm005.inf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\adpu320.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\dot3gpclnt.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\certprop.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migration\imtcmig.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RecDisc-SDP-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky306.inf_amd64_ja-jp_97f0de39317f6837\Amd64\KYPS5100.GDL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\nettcpip.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalE\license.rtf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7UIP00.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\lmhsvc.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\dot3ui.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\sscore.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-WinIP-Package~31bf3856ad364e35~amd64~~7.1.7601.16492.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\pciidex.sys	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNBJ2610.TBL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nl-NL\cdosys.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_prompts.help.txt	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_remote.help.txt	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\SHJ11N06.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\sisraid2.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\connect.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Security-NTLM-DL.man	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\MsCtfMonitor.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dssec.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SampleContent-Music-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\auditpol.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dispex.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rasdial.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\pnrpnsp.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KBDSMSNO.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dplaysvr.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\mdmcom1.PNF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL14.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\61883.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\bthprops.cpl.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winspool.drv	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\ias.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\iscsidsc.mfl	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\cpu.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL03.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\wpdmtphw.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\d2d1.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dcomcnfg.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\hform.xsl	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Special_Characters.help.txt	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnle003.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\netplwiz.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wmiprop.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\offFilt.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Utilman.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\settings.html	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09664_.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sv.pak	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipBand.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Distinctive.dotx	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\ShvlRes.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107718.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\23.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01761_.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107280.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8B.GIF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\alertIcon.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00405_.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0088542.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_F_COL.HXK	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yerevan	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPDSINTL.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Resolute	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Whitehorse	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185670.WMF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fxplugins.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-ktmutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4fd61d64bea7fc2e.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.sua_lh.resources_31bf3856ad364e35_6.1.7600.16385_de-de_922c9646c791fa5e\sua.CHM	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b76c1a8d265a879.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb9e8ac791f378c2\wdc.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wiaxx002.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_de-de_67508322fb0a8d91.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c985fbedc9886bd1\license.rtf	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00d.inf_31bf3856ad364e35_6.1.7600.16385_none_de510ba10fac7008\Amd64\CNBBR285.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnod002.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_871dd2fab61555c4\prnod002.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5e5600c684c58f24\wvc.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..vices-sam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b6d9677593c41465\samsrv.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Runtime.Remoting.Resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dssec.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_575720daffc1d1e8\dssec.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..tend-apis.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_2cda784031153995\OfflineFilesWmiProvider.mfl	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b3e6bedfeeb93ed4\UIAutomationTypes.resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..extension.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6ccce1ce2c4fe6b8\audiodev.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_6.1.7601.17514_none_935e5e07aa28aa00\tsallow.mof	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..-msscript.resources_31bf3856ad364e35_6.1.7600.16385_de-de_25b9e97c2ba93664\msscript.ocx.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000085d_31bf3856ad364e35_6.1.7600.16385_none_59d8935c6f5b8c97\KBDIULAT.DLL	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-fax-service.resources_31bf3856ad364e35_6.1.7600.16385_en-us_36e0de390f55ac1d.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_adp94xx.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ac1e2022e2ad0084\adp94xx.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_6.1.7600.16385_none_451a033a54709874\DeviceDiagnostic.xml	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-deviceproperties_31bf3856ad364e35_6.1.7600.16385_none_ea20b9269b3c9a2c\DeviceProperties.exe	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_de-de_4382ec7fa29382a4.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-ehome-ehvid.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e2bf23e2dc45491b.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\FileMaps\$$_syswow64_it-it_licenses_default_homebasic_12d64bbade41f856.cdf-ms	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbr002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_52822c9cd175a059\BrSerIb.sys.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00f.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4c3783d14969e75\CNBBR280.DLL.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_pt-pt_4ba75fea2925ef82.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_wiabr009.inf_31bf3856ad364e35_6.1.7600.16385_none_0a89942916508ec8.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.ja.resx	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..iles-help.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8e8e077ec9162525\Windows_LinkTerm.H1K	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-rpc-secure-kerberos_31bf3856ad364e35_6.1.7600.16385_none_db9d8b2f1b8a6de2.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.Reporting.Resources\2.0.0.0_de_31bf3856ad364e35\Microsoft.GroupPolicy.Reporting.Resources.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\app3rd.h1s	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..e-rassstp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9be362f383a2b0e3\netsstpt.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_wpf-permregonly_31bf3856ad364e35_6.1.7600.16385_none_2b21de5624e8475c.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnms002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2c414de009aef63e\prnms002.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b85612429efc33a7_oleres.dll.mui_ff00d4cb	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_server-help-chm.authfw.resources_31bf3856ad364e35_6.1.7600.16385_en-us_70e9b8e22b72b0a6.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..ion-netsh.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6cd9929c2f93d55f\NAPMONTR.DLL.MUI	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.2486c0f5#\d3624bd9507a1d21def2a1c3d713ab5e\System.Web.DynamicData.ni.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_reference_assemblies_microsoft_framework_v3.0_de_4221013169c4927a.cdf-ms	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.2.9600.16428_none_6536fba50c3288b3.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.security...ymanagement.cmdlets_31bf3856ad364e35_6.1.7600.16385_none_26b1f4355e49a023\AppLocker.psd1	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Boot\EFI\cs-CZ\bootmgfw.efi.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_wiasa002.inf_31bf3856ad364e35_6.1.7600.16385_none_bfa404db77af1a41\SA5935.icc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Windows Default.wav	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_prnod002.inf_31bf3856ad364e35_6.1.7600.16385_none_ae12c1cb94acf497\Amd64\OKML421.GPD	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..pologydiscovery-adm_31bf3856ad364e35_6.1.7600.16385_none_e774dcd7484c8452\LinkLayerTopologyDiscovery.admx	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_ricoh.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_51ab611009c79649\ricoh.inf_loc	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-l..e-default-homebasic_31bf3856ad364e35_6.1.7600.16385_none_8b2a632cf41ea684.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-propsys_31bf3856ad364e35_7.0.7601.17514_none_89c51b2d31299255.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..ender-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b8b5f50fea3a170d.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_ts_wpdmtp.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_743b10d418853fa3.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\BRUSHSCI.TTF	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_14400aaa57809682\ole32.dll.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-tzutil.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7756b31feb2115a1\tzutil.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..-security.resources_31bf3856ad364e35_6.1.7600.16385_en-us_16c5a437f100318e.manifest	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.visualbasic.compatibility_b03f5f7f11d50a3a_6.1.7601.17514_none_c1c1077951dca19a\Microsoft.VisualBasic.Compatibility.dll	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_flpydisk.inf_31bf3856ad364e35_6.1.7600.16385_none_42ff01d4942cc5ea\flpydisk.sys	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..xe-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b782d21ffce64151\msinfo32.exe.mui	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSystemtimePrivilege	2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 300	2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe	29
PID 2192 wrote to memory of 300	2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe	29
PID 2192 wrote to memory of 300	2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe	29
PID 2192 wrote to memory of 300	2192	fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbcff06b38e4ac7bcb904bdad1f9bdb9_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Jilu.txt

Filesize
4KB

MD5
d9dc988d5510ad104d941c221fa1a304

SHA1
5fa40bdfc7547b8ac986ec28ab811bb70a391ad1

SHA256
c65c83df4890621e71a995c251c596847c2df81bcf97e13ef2c8d09772ed42ba

SHA512
45063e35fb2fa3de68b0179c4e6d9a10ae38c9db21299f6ed31532a6f1f97b46719cd282292b9801f210f64a8d2e69fd0ebb994cbfcb01cf56b30a529c25fb58

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
52fb9207a9401c0076cd92527fb5a7d2

SHA1
36ee8a46ae617a9be94d6a09504e97d89e74bcd9

SHA256
69cbd9e41509d7b2c8698d8fc4888931c23991aef68bab212ed1d0008136ede1

SHA512
685059f2918b37e1be586fd954374f6374eaaf1301c82628f8c70bcf116e3ceaf62baefaef615389e472c29ae327da40dd65b3319de340de1c4dc4fd9a6043d8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
6a40928b95848331e9446e5f073ef395

SHA1
10ee9d75c250a31cc1b89ca9ba9ec794fd0dde7b

SHA256
66cf5c42b8c57f8332bd654ba45a838ee260435e7490f50ccb9b547846530d9e

SHA512
2623ef525286047e2d156e7c6219a5cd4c83055f1b1c18758da6451937c994a46464c129bc2607945d8dbda82075c42b9947eb9e0bcaba37ae27edd3b5c5b8b7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
0810e56f14150a49f329fd814e44681a

SHA1
6274a45877ec782cf2d81c8682593a0318b98313

SHA256
43745e2610184e8a962f1618db51f58bbd82572a8fa01f67bdf520a579f1c079

SHA512
8b06819f3b3124c1a8c7205231eb4bb8628f98a42ef73698954afbc8b7e67cc5180352fe582b1c386cb2991d446e92835db1d6f55935ab8b1b4ddabede2e2121

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
cd84b119ebffaba74773617033cb6674

SHA1
7b0e335b8b678704566e0f216bc62b0e6655acc0

SHA256
466351c7e536669c4f42bd366ac43db91dc47e5b7f95af56507cb3294d0c1419

SHA512
fd9e7525c9b363d487edc5b14b9a68cb28ee5632cbb046726f15868d288bcc776d40e031c3af2fcbadee08cf83208160eeeda18caa1bd49f9fbedd6f30cf9af1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
4KB

MD5
ed4bf7a3d573a2f74174f4b6b2b3ce4e

SHA1
9eb14f7ffef1b9a1efdf67712758a579f7625a3a

SHA256
fce41934a2771525c68c524d90427f7e246ebe25bd407be2ca87b8eb28c81eab

SHA512
57b631db6887288d442eb529bc6c24b692c7d276b56c7952af3ab5e95f54765613e4dda03fd1297b2fb7d2bbd06bc837da76b4f1fa1115c3fdb43539b7bffef0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
9ee37bbd48ff7a1a68456b117b0a303b

SHA1
4561b070fadc2ba68d41f46560bd77ecd196b0a4

SHA256
80f4235cdf0ef650b6b58dbdacaec6e5720eb4679f28c274861660d08c9514f6

SHA512
1bc598aa04668826e93e4c2709fff37192105932c0e62b05fafe913986d675c7f1c12af2f45af4a8be41a74a95b393511e0e56173a6eb1388169f8409240bf18

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
bc8c570bc0f2b3a7b840c068657fa6b6

SHA1
74e3b62dc1d8e7eb6e4403ce70e9eaab6af33355

SHA256
cd894ffde7a140b5d032a29ec43694a5d133448104cf79db87c866f7820d955d

SHA512
eeb5dce278690e4a57569b1a8fb3df126930b8106106c0915ef9627bf4f744a1024b56c7b7125df0e00e47dcb99ccad6f4d31713aa293869125ce3529e370b36

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
9e4eb001ebdb502833796b593dd475bd

SHA1
92b05f9a5887e349bbc478eb57f94234381c3417

SHA256
4e32479ccb6a9567cc9fdcd37e36ea723d7c616d4b1058fb4fecdc17e78bbc12

SHA512
af7ce86d4e393965585e9295a85dd48790eb373650e3c75895c9690329f5bbc469ad242493fddb6fc994ed800d890a80ef2346021b6015a518daaf5c7392c308

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
bf6f6901b7f70ad8842fc2f3be213aa6

SHA1
e45bded84c4fc25f84004afba058b0097799af8e

SHA256
d9328d2967b697533ec040317dd70e3651c9a44210da1ed978a4b8e5597dc2ee

SHA512
6839ca885820f8ba901147a725618b8fcba46c02a1bfea02c34b0d32c3017a62ecd6bb93c7046d88e77cb730d986dccc1da6360e2aad871321f0e4724ccb6cf0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
3dc3ec21e9edd8c9d2d52c6ce0bb3e5a

SHA1
a0ac3f8a970e1ff5d8bb86d2a7be0926cda8ad0d

SHA256
b2acad5ce3e2060b8f92e1421e253b432c255cb8867de1db6115702afd2f3fc5

SHA512
c714028e16f50b2aa9511701f52b2d9e7b8d0f2bf07dc0e226d2002b09d7b72a64445737f3c0054b5d3d9faa4d043323a10f262fb9cba74bb3a7adde5bd60001

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
55eae5d2fb72223fa3fe71d82745bd9f

SHA1
de9f7907ffb13acc83f17594ab1d34d596144cf8

SHA256
79141e881a5abb763614dac04b029e645cfa4d1f1a3623f1048c657e2fe4a4cf

SHA512
55f4511499f628485aaa79baa528bf3a981a5db7912445394b98540a6fe8789c768eb3dc760ef8e37665ed0d8f345c110657684d11fdef8b4c8d50f4766b2a9f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
0e1dbac67a1c5a71c49d0c5e1fde8b59

SHA1
2e88debe7ebf900a8b3e618d12ebe0bc3eb929a1

SHA256
d0f5a0a25faf3d12565292f5b38848ca53b5397af0b7529d259e36b9d21eef35

SHA512
2bf3c1bd7095dd39c0c8db9d5811a54c4f3ea94e4607d5c5606bfaeffd5cf1df64d1a6b14e10ec4628d53cc94fc0472eb619469faf224cb2deeec42c15deae66

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
edf0afdc0128d7f629fed0faf2579a81

SHA1
e5aee733e3dce326f122c2c3c35a7359b1754fcb

SHA256
800ce0a74b1cec0e7f13290432c7de48f90f7efabf1003db8e87ddc5b7cf7a52

SHA512
5ff249e68d50bdacaec6e9d4c0c1c37cbcb9ff29682cd09dd7a53ece2b3e61d9a38f32775d14b5ba1e825a9cf47e8157a7a20532a8df49ed2a121b803a4c8b24

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
bec2c348aae4e370a119304b7089fab5

SHA1
cf4286052402d47d67fa63b22d523427b90fe7fd

SHA256
323889556cff285b78a3e55c7df3d03e4d5fab4c41bcc4f9a2d96e9a62b155ef

SHA512
395829fe62536674f16ba76e3030cfec449aada4d081d7b2cd0697876a8db2474b05bf697cdd49eff250dedc34d9dde4a69daa8c76be6a3f5754f024cfa3342a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
40f836930e4a45e3bee9bbe280d7372d

SHA1
611b9adbfc2f6f11fbe57a13996b93e9555f8c18

SHA256
660843f82f2d07e455f1d9ecb33abb28f86ac36d0c606ef1d7769df9d42970b8

SHA512
ad6e830350936bf10fe0c74a683fa7c9dd9b591c8f56f856a274517eaeb04a14883ba33195ec1196004d5efb7dd441a34e1657bf81cc206aca3bfedc8c25ac31

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
366ed5eb5b6039431f8a974071512d3b

SHA1
e5ddd4d15b66f0e11641e65d8e3f7bb7fe645df6

SHA256
3da6f8d574a0ecf53505794d4eefd508b41865b7ccb3e629c714585499876803

SHA512
39331e45e0bd553e85f21791d7fb5a6632175c839d7925579b4337e4961de77f6fcd82543cf9dbe421e8a3f4825d0d38e26a4b42ff70d52cbf4061cee05e53d4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
3d88b0dec56879360d124791d4dad42d

SHA1
fecb18f5c3f65d3f2c567913e1693de81af6f55b

SHA256
3d81b67efe2da22ff0a7ed19e2ec10d79e3869efa67c32e715cd6daeb3e63ed2

SHA512
1dd259b5bba508e95918c208d0607696e94b2d755f547be200c560812a9ffa6fc7e4d0235f74aa591fef0d06da7ffefd5760e552d1aa8cf8e4c16b046f74d687

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
7da468ac07673a9245a8123b4ccf6462

SHA1
3c50d48ef2ea7bcb96a3f16ab118c32deec1d605

SHA256
5e753e302ecd9142702669c4b3b8be293174952bca472b104ecb6cee5ffc9364

SHA512
e4555060afb9838527af14e3eaf19e3da701ed7b0309a3e098de1f1ca0dd305781d58811cbd8a14e5954476999ce722a8f3ba1db07ebecfaa44f4b402beb0aa5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
10KB

MD5
90461de577de2ef7462635b261c923f6

SHA1
253ecf35b5820268b81a6e2f08ed3083dcb9e6d3

SHA256
cc254cc628e41e218b253d235638b2635ac63e3f2508c0b6800f0a95ba0809f2

SHA512
b28a503d37920601184bbc518f28a8764401edeecac0c37a5223f1b6e36316b5cd1bf392a7f763637002709b7ef71da77babdb519bbf73cdc1b4a64b74c10dd0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
b62de344039504b0b7e9ecab12a1ddc6

SHA1
11699ed72e4a0fb9d5eed0bbbf1f7178f232ad67

SHA256
58061f377a32f4f7c17f754045f858ff470cfa4a709e98e67ef073e9de4c7864

SHA512
3f210258f81a22db9132027499bf655bbdb1c2b5d09552901f986a20b7586cf8a09d33d736db4b78a49f8ea2ea5b85ef2e7412d4e8a8ab01f213a1a98f56ae57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
117e3c281379bb081f92c8e89bc80907

SHA1
be5812f2261db2102209720cc7828bd27fc7e4d4

SHA256
e7cec71c01d3b7c1d0746a0014a948bd1ce69c5329b5c1ef0b984360a82644b2

SHA512
4ae89f89af79dc59341d4a43956e61b45d7a3dfce1584bca6ac99968027689cdf45a13442cd826c06d09598cec43e674d13dd49c3a0100fa375f1acad5c0b2f6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
cb6ccab77622fa57c7fa8c99dd5c8cc5

SHA1
0631987814aeeb4b88974ff10f0311cfe4f87ef6

SHA256
0c220ffa13badfd659c6747258b451f07ad9150304e731eea9bbe6d24739b0d8

SHA512
fa5e40d949235e1b3b2aace3e8c8c79dc6940b0c31aa2004bb352a463a6ed186bc876bc6e6ab0714403649b6235a6a47a2fb7afaec100c429b2eea6b2efcf3b9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
b4ecddf369366bfe52e9cba8d0bedc99

SHA1
af4c5407dd2ed37b639e79a6154f567636036ee8

SHA256
78f0a199d86fee526a7135a1cc442c4955d683688b902d38328c1d6b53c1940f

SHA512
57cb8bf7d6a3660cb09b10bf2b790ae789d52d9f8aae08a38ae1d1d9e12ce20fbb8f1e4eaa8fcadac49c289d4ca545ddc89dc09210c48788059fcaf9a27fe5d3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
d9881ea1ea38b56c4130d2a28e8b4337

SHA1
31e5db83ddb68d283684adeecd47bb84aadb1a2e

SHA256
b4ba4ba3f832a667ef50e211655396cd0c49f193956a58a8ab0c74e208c63ae1

SHA512
c98fa43c3f026c9fa7a4a52a2693eb7ccf09e355d5a81baef2aee8b0612dc92080f960f7bfa598d5d01933334641012dbada4ce6cd5f1684bdda25b1186b9d86

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
817B

MD5
b68eff3595c120f016ccd89df416f8eb

SHA1
eb735b03325d735ba0f6200543c3458b73547a23

SHA256
05127968f649098c105f24b04c04f8d67169f4de3f653f72ba5b722cbbfce090

SHA512
64ddb97022f4be63a994c1781fb3d98385f611c35ae05cf8013ac42d9381c703fdae48bf117eb44be8c3efd0fd0d88685c07b72c8457d173e78b3c26ea3525f2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
e2a262b41c4a32497031cf5848d9a2c9

SHA1
7f6a242757bf718f4db296287e17471fd7cfe227

SHA256
784fa62464b85e13965d74e1f5216628a1b6fcb77aec811401bba6f88294a9d2

SHA512
d17aae2ffa0827de63ee12dece114a90738f53266a3f93e3d9d2cf95d1f23eba04e0067270e1588a71f2ac42def615815408bcbcf8d6de7bd7806c3f58894cab

Download Submit
C:\autorun.inf

Filesize
91B

MD5
1ecbee74203c68e028f33401bf4bbe36

SHA1
d61cb792dbf96b5a9b4d72367cb1150ca2618279

SHA256
05b04e8a590868f3fb7386de34a72288b90531d5d067bdc40f954a2736706293

SHA512
35620ad6fe8c69154311d71bd2459aa0048d8b98e24b4c5bcd8bc73780ac2b45cf7eb2e8adc0b8dfaeec2f54c0141ebe93a00bfb999ab17ee7d24948a6082960

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
f0f8596ba61b12b3c89d04ffb149a6fa

SHA1
37e74e7e7c09a6693069f49c03c2e8244723cc2a

SHA256
c17078d4350fd9e7731fc2ceb6c9ed938289e9cc13868300ab19b6471b8dc1da

SHA512
4a9fd641cf3eb38cd5845fc10ba95e23855339365c456faee269060e1de7cdcdd2ef370747832daf66b6a6a3f29c722b4d1839a697e476052cfed2aa5ff33454

Download Submit
F:\Xiaohao.exe

Filesize
11KB

MD5
fbcff06b38e4ac7bcb904bdad1f9bdb9

SHA1
b4844e4398344a035507bb085353d8cce62739cd

SHA256
f75b7535365c80c14523f074f5007fc6769e0453562d369362dff9c7e52874e5

SHA512
29399e1558e4cffc128b38ba87d39d82184a971c4ab4baefc5ce452d9e03ce8f8515e9b41dc1038df65c11bbaec08200da42dfdc631820a1ea945b2ec4959a1d

Download Submit
memory/2192-383-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2192-3723-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads