neshta | a4240bee0f61206c372f04950fcbce24859e983ed1d274262e8917b89769dd2e

General

Target

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
Size

6.8MB
MD5

047bd4707c67b43c6386f09b9bf600df
SHA1

e3d4acf2c7615da3f08fd4c18d3a7ede24a20a56
SHA256

a4240bee0f61206c372f04950fcbce24859e983ed1d274262e8917b89769dd2e
SHA512

8b84d6208586718d189dfd28d958ada70b5036fdc8d1885090aa8f9c99c15a55d428578340d6a52c4f4adc097c0b2098be21c75a930578fc9425ee294a15c382
SSDEEP

98304:FlerjesRJ8YQU/e51q0V8ZjmMrm1RF4j+POoo35we5nPOE1E1:urj578YQP1qbryHFvP83/FPx1E1

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\905c0769f9a06c95a24ddf945\patcher.exe$	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\driverquery.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\findstr.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LocationNotifications.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WSManHTTPConfig.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\EhStorAuthn.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sdiagnhost.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\waitfor.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msfeedssync.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rekeywiz.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMig.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DpiScaling.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\_isdel.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Netplwiz.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\openfiles.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\print.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\secinit.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WinMgmt.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\osk.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\subst.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cttune.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NAPSTAT.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wlanext.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\migwiz.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TapiUnattend.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dialer.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fc.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\grpconv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\proquota.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TCPSVCS.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\at.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\mofcomp.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..ce-useractionrecord_31bf3856ad364e35_6.1.7600.16385_none_8ee34c400d95f0ab\psr.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-freecell_31bf3856ad364e35_6.1.7600.16385_none_b466b741b68bd29a\FreeCell.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\wow64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_092d6b9141f16aca_winmgmt.exe_8f8eb7b1	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_fafb502abef1be40\convert.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_9cef76e6ecab612f\SystemPropertiesHardware.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-snmp-trap-service_31bf3856ad364e35_6.1.7600.16385_none_2b7ff0845918e12f\snmptrap.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00\mpnotify.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636_winlogon.exe_ac37d0c5	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime_31bf3856ad364e35_6.1.7600.16385_none_7547f48c79b40229\msdtc.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.7600.16385_none_7f263a8951bc5a48\SetIEInstalledDate.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_80543131e5508a75\TsWpfWrp.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_924b83b9b69fb351\ddodiag.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-icacls_31bf3856ad364e35_6.1.7600.16385_none_8ea990b7bfab3802\icacls.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7601.17514_none_905283bdc3e1d2d8\setupsqm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sigverif_31bf3856ad364e35_6.1.7600.16385_none_178e7604150fa952\sigverif.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-upnpdevicehost_31bf3856ad364e35_6.1.7600.16385_none_1ddd261c4e350476\upnpcont.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_6.1.7601.17514_none_177a088436382a34\WmiApSrv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf_winmgmt.exe_8f8eb7b1	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-credwiz_31bf3856ad364e35_6.1.7600.16385_none_9fb106cecd28b3f9\credwiz.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cleanmgr_31bf3856ad364e35_6.1.7600.16385_none_c9392808773cd7da\cleanmgr.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_8ce7aa761e01ad49_wininit.exe_7a527f28	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_4605aca152cc8281\mshta.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\iisreset.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_6.1.7600.16385_none_5da314d233bb2676\dvdplay.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-stickynotes-app_31bf3856ad364e35_6.1.7600.16385_none_493ba8a4d2fc9697\StikyNot.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.1.7601.17514_none_9edcb4a706944d0a\autoconv.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-cvtres_for_vc_and_vb_b03f5f7f11d50a3a_6.1.7601.17514_none_726f4033dc35da15\cvtres.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_d18028273214fa77\SearchFilterHost.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27\ieinstal.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-p..unterinfrastructure_31bf3856ad364e35_6.1.7600.16385_none_cd7aeeff1897d018_unlodctr.exe_69df45bb	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\msil_addinutil_b77a5c561934e089_6.1.7601.17514_none_1a816bc7556b71eb\AddInUtil.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_ef38a8d0d05cc2c7\IMJPUEX.EXE	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..tional-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_b7aa02fc1797974c\IMTCPROP.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_3899b0ad2bb77a86_iscsicli.exe_20e14d4f	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\mshta.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_6.1.7601.17514_none_e501f8e06b32b48f\net1.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-computerdefaults_31bf3856ad364e35_6.1.7600.16385_none_064cf7cf249d0026\ComputerDefaults.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigAutoPlay.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_cb0f7f2289b0c21a\notepad.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_bbdd3aeb771e694e\runas.exe	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

pid process

2292 047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

pid	process
2292	047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\047bd4707c67b43c6386f09b9bf600df_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2292

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$
Filesize
6.8MB

MD5
047bd4707c67b43c6386f09b9bf600df

SHA1
e3d4acf2c7615da3f08fd4c18d3a7ede24a20a56

SHA256
a4240bee0f61206c372f04950fcbce24859e983ed1d274262e8917b89769dd2e

SHA512
8b84d6208586718d189dfd28d958ada70b5036fdc8d1885090aa8f9c99c15a55d428578340d6a52c4f4adc097c0b2098be21c75a930578fc9425ee294a15c382

Download Submit
memory/2292-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads