fb68c68c00108c78502420c20ed5626ee4e8bb1741b795192d5a3f464dfb6658

General

Target

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
Size

13.3MB
MD5

045eb07a813c75105b31480ed74f5f4e
SHA1

d4f8283514e8acbd8aaa1cb6dff3aa126d24cd1e
SHA256

fb68c68c00108c78502420c20ed5626ee4e8bb1741b795192d5a3f464dfb6658
SHA512

c00ccbfb504d199e0f8059b71e89d28cd95b8e698c55a76e0abe0f62d52e785ae81510a27e28adac1ae3826022ef05b65a8a9971138009bcef2ca840745fec2d
SSDEEP

49152:XYgph7GBfWbYcMh2RAR5FeA6wAqC1xDkYOMwwnMb4PmyVAK:XX77GBfWb5uW1cYOXwnS4rVAK

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (502) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\odbcconf.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Windows.WARP.JITService.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemUWPLauncher.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfhost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tzutil.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\userinit.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tar.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PATHPING.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netiougc.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\user.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sort.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\user.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedt32.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrs.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tar.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shutdown.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskkill.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xcopy.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\appidtel.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\appidtel.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cacls.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpupdate.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logman.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lodctr.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mfpmp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wiaacmgr.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{03F1BE3A-2D6B-4068-AE00-C77390269D94}\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaw.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\orbd.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvsystem_31bf3856ad364e35_10.0.19041.1081_none_bdf809eb2dd695f9\AppVClient.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\r\ByteCodeGenerator.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\f\MoUsoCoreWorker.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..wsupdateclient-core_31bf3856ad364e35_10.0.19041.207_none_8d07de31084775c6\r\wuauclt.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-senseclient-service_31bf3856ad364e35_10.0.19041.1288_none_1cec63974464878f\f\SenseIR.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-quickassist_31bf3856ad364e35_10.0.19041.1266_none_72c6a00123f43c47\f\quickassist.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..eapplifetimemanager_31bf3856ad364e35_10.0.19041.746_none_45062eb997366a7f\f\RemoteAppLifetimeManager.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wsatconfig_b03f5f7f11d50a3a_4.0.15805.0_none_63e334c9a2aa569e\WsatConfig.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.546_none_49716c2392052aca\r\logman.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_119b1e415d838a28\f\autoconv.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..b-standardcollector_31bf3856ad364e35_10.0.19041.264_none_0f23d07ed2574292\DiagnosticsHub.StandardCollector.Service.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-csp_31bf3856ad364e35_10.0.19041.844_none_c606f47e6aa94b5b\hvsievaluator.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..llercommandlinetool_31bf3856ad364e35_10.0.19041.1_none_2a5f489c740a390b\sc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\f\klist.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sensordataservice_31bf3856ad364e35_10.0.19041.746_none_dbfd31e3890afb72\SensorDataService.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-newdev_31bf3856ad364e35_10.0.19041.1202_none_8636783e05df6f4e\f\newdev.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-printdialog.appxmain_31bf3856ad364e35_10.0.19041.1_none_3b03b28c788655c6\PrintDialog.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..etpc-mathinputpanel_31bf3856ad364e35_10.0.19041.1_none_8092909bf048f7eb\mip.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_8a469514405342ff\f\PasswordOnWakeSettingFlyout.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx-dw_b03f5f7f11d50a3a_10.0.19041.1_none_8e850c52ac392ae6\dw20.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.264_none_13222f28beaa00a7\r\vmwp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\immersivetpmvscmgrsvr.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..executionprevention_31bf3856ad364e35_10.0.19041.1_none_8a292178f857b8d8\SystemPropertiesDataExecutionPrevention.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.1266_none_c67a7a982eedc4e8\explorer.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_60c397ff12ee4db1\w3wp.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.19041.153_none_95ba73d08e5f739c\provtool.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-extcom_31bf3856ad364e35_10.0.19041.84_none_027c502c6e331223\r\SppExtComObj.Exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_serviceinitiatedhealing-client_31bf3856ad364e35_10.0.19041.1288_none_91a5fb477b6af5a0\SIHClient.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\r\setup_wm.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_10.0.19041.1_none_295bb689d5f0ebfa\powershell.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-isoburn_31bf3856ad364e35_10.0.19041.746_none_680d56683fad152b\r\isoburn.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bioenrollment.appxmain_31bf3856ad364e35_10.0.19041.84_none_f80970fc24265338\BioEnrollmentHost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..hreshold-adminflows_31bf3856ad364e35_10.0.19041.1023_none_9583d52fd3076014\SystemSettingsAdminFlows.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_e304dcaa2490f61c\SystemUWPLauncher.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.1288_none_1d22271c8cc35d4b\r\IESettingSync.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..lipboardredirection_31bf3856ad364e35_10.0.19041.746_none_dfcf5b6f69f16f7a\r\rdpclip.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sort_31bf3856ad364e35_10.0.19041.1_none_61af30d6b8e070e1\sort.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\r\systemreset.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\iisreset.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devicepairingapp_31bf3856ad364e35_10.0.19041.1_none_258f6f31a16a0eac\DevicePairingWizard.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\r\ntoskrnl.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.964_none_21209b01f08afd33\SystemResetPlatform.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_10.0.19041.746_none_24d91ab4120e42ee\rstrui.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_10.0.19041.1_none_df1a7ee54b62a4fd\quser.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_2dfbb21bd5166adc\r\Taskmgr.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\f\uwfux.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_db09942beaf4fdfa\f\Microsoft.ECApp.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\f\fixmapi.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_10.0.19041.1_none_0e22056af4d5d874\mstsc.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.windows.winhttp_31bf3856ad364e35_5.1.19041.264_none_7517ff6e147bc8a9\f\pacjsworker.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_10.0.19041.1_none_579ae2e26c347896\WMIC.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1202_none_a27aa61d221bdc5c\r\wordpad.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_324ea383dbfddeb9\r\mavinject.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\explorer.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_10.0.19041.746_none_77bd4cfbe87238a7\SnippingTool.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\ShapeCollector.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-verclsid_31bf3856ad364e35_10.0.19041.1_none_7c2c890be7329496\verclsid.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\r\SyncAppvPublishingServer.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.19041.1202_none_324ea383dbfddeb9\r\mavinject.exe-	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-u..onwakesettingflyout_31bf3856ad364e35_10.0.19041.746_none_949b3f6674b404fa\PasswordOnWakeSettingFlyout.exe_	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc47000000000200000000001066000000010000200000009ac816deb8eea56ab91df7ee78549961303a0e79a3345890c4e1d8a706bb450f000000000e8000000002000020000000ac1676826853f8ced970db2211cfeb467e11dd9972a85276590cf1f584d9eb882000000026aab6fc08af8033736cc135c89b019ae15f8d8c34baafab94a7c5fd762bc85740000000383d0eb5772dd33d260b37fad648b4a387a0397fb3f0049a4187997cb968c607f1146a57f689b83fd9edebad1cf42b484f862ee11d6aff940b55ed90e75394d5	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420440225"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30d8a93b2499da01	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40aca23b2499da01	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004e3e9268a9459641b5a406732e1efc4700000000020000000000106600000001000020000000d15d290585c0b6ae9a10653b592b6c1c1075d3f06a1b2330687f03aa709c04a6000000000e8000000002000020000000cef9e6658b81a61cac31c3dae47f300fc83778b73276cb538ca7bbb8ef61e067200000008216ee5111335167ff80e989dd220cdc30080f8a2733a63699466b29c88f120540000000fde78ad72dcbaedf663f97ab83f944c41e1b9bb1ddf80e7b02a647e59b6a97f7c59206f790e49dc134c7149e2231f99481bca79e4f6a613099748274a6441775	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{626AF134-0517-11EF-921E-DE6B303C5000} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

4856 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

4856 IEXPLORE.exe
4856 IEXPLORE.exe
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE

pid	process
4856	IEXPLORE.exe

pid	process
4856	IEXPLORE.exe
4856	IEXPLORE.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 3228 wrote to memory of 4856	3228	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 3228 wrote to memory of 4856	3228	045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe	IEXPLORE.exe
PID 4856 wrote to memory of 2744	4856	IEXPLORE.exe	IEXPLORE.EXE
PID 4856 wrote to memory of 2744	4856	IEXPLORE.exe	IEXPLORE.EXE
PID 4856 wrote to memory of 2744	4856	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\045eb07a813c75105b31480ed74f5f4e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3228

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe
Filesize
13.9MB

MD5
a45203f8e8e30bba274813fb48f284bf

SHA1
eddd04a18897dcce00d4022305987448fb468513

SHA256
21ce0c6ac92ef9d470a87985a09a86f58f63e311230610d190ad0afb1acc8db7

SHA512
0d6093fb61291bd6db3292260e2f9b19c92761245281146e4a5271467d072bc4fad6db5beebd5f326e9964c56394048944bde1d523c1b266ec0517d8be12e190

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads