neshta | 9dc76174e9e89c596aeb1dfd5f85e04d1ca823f08f78ef7007e0b4d1c9e1bc51

General

Target

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
Size

5.2MB
MD5

046a2b0afaab2481800e1689b29ee63f
SHA1

85a7acbdaf3e509c121d96ba2bc665e2cd21154e
SHA256

9dc76174e9e89c596aeb1dfd5f85e04d1ca823f08f78ef7007e0b4d1c9e1bc51
SHA512

f52cc759a61330dd13947fb8002eab5d59d7c3261f084b907f2b4d4f4addf2799a7a7cd10e5811058e33cf05cbf9e54c0e2c8eea5409156652b9324bf100e144
SSDEEP

49152:Fl/ijN5j2Xsl3RJ3LHobUQDgok30nwHCTpYdOyCPOFWSytLoqU/qC8W:FlerjesRJ8YQU/ojTpdPOFstsF/1

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\905c0769f9a06c95a24ddf945\patcher.exe	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mavinject.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rasdial.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpscript.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ndadmin.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rasphone.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Com\comrepl.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wiaacmgr.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fsquirt.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TRACERT.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\IMJPSET.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autochk.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TapiUnattend.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmdl32.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\edpnotify.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WWAHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RdpSaProxy.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dxdiag.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmstp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\powercfg.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Register-CimProvider.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WerFaultSecure.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\F12\IEChooser.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\net1.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemUWPLauncher.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\finger.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\isoburn.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RmClient.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mofcomp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DWWIN.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nslookup.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\psr.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIADAP.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\klist.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateSetup.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\OOBENetworkCaptivePortal.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\SystemSettings.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorQuickStart.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\NcsiUwpApp.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Microsoft.AsyncTextService.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

pid process

1020 046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

pid	process
1020	046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\046a2b0afaab2481800e1689b29ee63f_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe
Filesize
5.2MB

MD5
046a2b0afaab2481800e1689b29ee63f

SHA1
85a7acbdaf3e509c121d96ba2bc665e2cd21154e

SHA256
9dc76174e9e89c596aeb1dfd5f85e04d1ca823f08f78ef7007e0b4d1c9e1bc51

SHA512
f52cc759a61330dd13947fb8002eab5d59d7c3261f084b907f2b4d4f4addf2799a7a7cd10e5811058e33cf05cbf9e54c0e2c8eea5409156652b9324bf100e144

Download Submit
memory/1020-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads