b3ff713108a89d70c2202fb9d3f43c31e1821930a5fd1f07b36887ff5aa18dca

General

Target

046919029770f1e6f8df03e428865948_JaffaCakes118.exe
Size

25.5MB
MD5

046919029770f1e6f8df03e428865948
SHA1

5038379ea2462fb7b9d2ac1712cf2b17d9b266b5
SHA256

b3ff713108a89d70c2202fb9d3f43c31e1821930a5fd1f07b36887ff5aa18dca
SHA512

d12e7987017196cdd88b654a1c59acd3c51c72356d147a33393711f6e7366c0fce685bd558272ac8d93b2cbe9bd483a308127fa3ac90cc0eeb10f66cadb6d749
SSDEEP

49152:XYgph7GBfWihDkYOMwwnMb4PmyVtHDkYOMwwnMb4PmyVGs:XX77GBfWLYOXwnS4rVtYYOXwnS4rVGs

Score

9^/10

spyware stealer

Malware Config

Signatures

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7z.exe	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrs.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\stordiag.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipconfig.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\convert.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskperf.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SyncHost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpscript.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fixmapi.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ftp.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icacls.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Windows.WARP.JITService.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmdl32.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\recover.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmTool.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\compact.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\getmac.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mshta.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HOSTNAME.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfmon.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tttracer.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\agentactivationruntimestarter.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateOnDemand.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\show_third_party_software_licenses.bat	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\javaws.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\nacl_irt_x86_64.nexe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_98656\java.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jjs.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_90b92bf6be625d1b\r\dfrgui.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dns-client_31bf3856ad364e35_10.0.19041.572_none_bfb752f1e1449c59\dnscacheugc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.153_none_3c9b504ec5293ad0\r\WpcTok.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\vbc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\r\windeploy.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVNice.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_10.0.19041.1202_none_ddf8c4144200f5b4\f\winresume.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.19041.1_none_1b0a4d6f748b99f5\bthudtask.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.153_none_70cb6ca43c818606\cmproxyd.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.19041.1_none_e6d5a48c4da284da\aitstatic.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-assignedaccess-guard_31bf3856ad364e35_10.0.19041.844_none_10a0a60f1ec9cc10\n\AssignedAccessGuard.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..tx-dxgiadaptercache_31bf3856ad364e35_10.0.19041.928_none_85ac1b118ff2a924\dxgiadaptercache.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..screencontentserver_31bf3856ad364e35_10.0.19041.746_none_e540b68b09558f5a\f\LockScreenContentServer.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\f\ImeBroker.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\f\appidtel.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..-unifiedwritefilter_31bf3856ad364e35_10.0.19041.1_none_522bacd027283125\UwfServicingSvc.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\f\WindowsSandboxClient.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.264_none_0e32f443c4669fed\hvax64.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_10.0.19041.1_none_e9b79397c28488a5\pcalua.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.928_none_b321f2c2ab7710a2\f\sdbinst.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\ApplySettingsTemplateCatalog.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\sysmon.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hns-diagnosticstool_31bf3856ad364e35_10.0.19041.423_none_841c30f68571c385\hnsdiag.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.264_none_62496caeba2daa52\nvspinfo.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\r\oobeldr.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-driververifier_31bf3856ad364e35_10.0.19041.1_none_705ce89b3c18ecc5\verifiergui.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\WorkFolders.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\f\AppVStreamingUX.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.264_none_29367e02ede71097\wbadmin.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.746_none_937e52b9922bd791\certutil.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..mnotificationbroker_31bf3856ad364e35_10.0.19041.746_none_a5ade2e84580e250\r\DmNotificationBroker.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_90b92bf6be625d1b\r\dfrgui.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\E39B69A3F3677E14587CF1C3CC73FE72\48.108.8828\fileCoreHostExe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_installutil_b03f5f7f11d50a3a_4.0.15805.0_none_d67d06ef0c4a2e1c\InstallUtil.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\f\AppVDllSurrogate.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.264_none_fe5852f864c5941f\f\wermgr.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1_none_9613f8b833f2e8f1\ByteCodeGenerator.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.84_none_a689f818199cbaf8\LaunchTM.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\r\appidtel.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_10.0.19041.84_none_bf1eecf3f472e3ce\f\Defrag.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.19041.789_none_b38221af158e5881\f\EDPCleanup.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-onlinesetup-component_31bf3856ad364e35_10.0.19041.746_none_4b0a936d86cdd479\windeploy.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-commandprompt_31bf3856ad364e35_10.0.19041.746_none_69061189792bce34\f\cmd.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-coresystem-wpr_31bf3856ad364e35_10.0.19041.207_none_4054ef70f69f6ff9\r\wpr.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..al-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_0f44a2d7a5e3a37a\f\ChtIME.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-edp-notify_31bf3856ad364e35_10.0.19041.1202_none_958d6588f50ca146\r\edpnotify.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.264_none_aa5417fd2708544d\SyncAppvPublishingServer.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0837ca02799da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca81000000000200000000001066000000010000200000005dbff0e0f82985f040a84e09658b2d30cfaebe4aeaa4f81cf4d99bf480755d5b000000000e8000000002000020000000ca69fb2365a00dbd2ad45361c35ddc864244e5988d194cad2a4b31bed0c7932a20000000bf93ba524fb5de33bcd908c5798f88116bfbe63c7d82af3849c184671e5e165b40000000465a6f181b91c91c3ee106065a430c83ed8723491f46a0c1ea8ec81c707a2501f284cfa5d1c42bf44951b32dc7f91899a6da33a5d4569e6d8e5d96ddbaeaa5a3	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca8100000000020000000000106600000001000020000000d5214438c579993d7771a9ae31aef9b6aa7129985f7c3e5791000282a23d95ed000000000e8000000002000020000000ffb5ff01b18125c06ce5a4865051b4c58e058a0a7aa6fe2c12a9c2fc1a11878d20000000b29d07f8d9c7d4d7d3f087a23aadb907d47d69f3544929ebc5f81b6123b12b4640000000156f69b5a675b1dcb732ce914ef45777890a3f20191464c5ffa4435c903ef8c41c7bf1ee16ff67963290ab6d02b121ef825dec4f2913a8956e78067790555649	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 900c99a02799da01	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C77209E7-051A-11EF-8ED9-4674C9374F07} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420441683"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

5000 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

5000 IEXPLORE.exe
5000 IEXPLORE.exe
8 IEXPLORE.EXE
8 IEXPLORE.EXE
8 IEXPLORE.EXE
8 IEXPLORE.EXE

pid	process
5000	IEXPLORE.exe

pid	process
5000	IEXPLORE.exe
5000	IEXPLORE.exe
8	IEXPLORE.EXE
8	IEXPLORE.EXE
8	IEXPLORE.EXE
8	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 3124 wrote to memory of 5000	3124	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 3124 wrote to memory of 5000	3124	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 5000 wrote to memory of 8	5000	IEXPLORE.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 8	5000	IEXPLORE.exe	IEXPLORE.EXE
PID 5000 wrote to memory of 8	5000	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\046919029770f1e6f8df03e428865948_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\046919029770f1e6f8df03e428865948_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5000 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe
Filesize
26.1MB

MD5
5892aaa675de5bc5fd7817ce96253236

SHA1
18a004fe6e6dbf8109d5393fcbb930e2391f7051

SHA256
f9fb14675189094083b7f4c4b923b031efece69329cec920cf157dec9e44c97f

SHA512
7392ed10c1d1028620f0eecca835aee8024ac90f93bd087e4654a429584f4dfc3566be032880abdb054ba8f4611621a9d50fd7f6b3bb39da9b0c9d3e3845b125

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads