d03c7eaa57cca7ae045e15aed612843518917fab03c45401a7c2032678e33127

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
Size

27.8MB
MD5

04b7c4af4a989a6de2339a8b6455d832
SHA1

93f90dafe6dd7d7d358232d2dd38e63c3d82c3ae
SHA256

d03c7eaa57cca7ae045e15aed612843518917fab03c45401a7c2032678e33127
SHA512

0aef888893114bfe435c293541bf7c805d1ab5985ac59edc02710176f9b1f05e6eb93b2065315a71390fa38615bb7e4915138f0f45fe798b0917220ac6843b84
SSDEEP

98304:XX77GBfWr1GjrTgtYOXwnS4rVDBGKfYOXwnS4rVWKwF+WIDQm:vGBfWr1gITItXuQm

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\notepad.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wimserv.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\finger.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedt32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcad32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icardagt.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netiougc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttune.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comp.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net1.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AdapterTroubleshooter.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HOSTNAME.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfmon.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntprint.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wextract.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\instnm.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\osk.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rekeywiz.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\esentutl.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InfDefaultInstall.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mobsync.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tcmsetup.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\upnpcont.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bootcfg.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drvinst.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\makecab.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OptionalFeatures.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\java.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_975df0a6f5a54628\gpresult.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\net.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_684b2e15d381ea25\regini.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..alservices-webproxy_31bf3856ad364e35_6.1.7600.16385_none_8d6c9c807200865a\TSWbPrxy.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-telnet-server-tlntsvr_31bf3856ad364e35_6.1.7600.16385_none_1ab997fb0a83afdd\tlntsvr.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_caspol_b03f5f7f11d50a3a_6.1.7601.17514_none_f885d1129806720d\CasPol.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346\drvinst.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-tools-printbrm_31bf3856ad364e35_6.1.7601.17514_none_dfe02de35bf41e0b\PrintBrmUi.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\ehome\ehsched.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf_31bf3856ad364e35_6.1.7600.16385_none_cf37cc4c5bc25dc7\ditrace.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcxtask_31bf3856ad364e35_6.1.7600.16385_none_b6bc1aae9d0693c5\McxTask.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iecleanup_31bf3856ad364e35_11.2.9600.16428_none_a03d6846a99c1c87\iecleanup.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_680b6eb133f91b1b\bootcfg.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSSVC.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-tool-exe_31bf3856ad364e35_6.1.7601.17514_none_5840c326cdf5dca9\manage-bde.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\change.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\servicing\TrustedInstaller.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diskpart_31bf3856ad364e35_6.1.7601.17514_none_c6fe6ac9ac8c7105\diskpart.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_94861149bb66249c\powershell_ise.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_12466fe3b629e036\winver.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_regiis_exe_b03f5f7f11d50a3a_6.1.7600.16385_none_9f01d3f4c9ca5275\aspnet_regiis.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\logman.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.7601.17514_none_a0c922c3b170dd5d\RegisterIEPKEYs.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm_31bf3856ad364e35_8.0.7600.16385_none_6425238b793ee910\PDMSetup.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-label_31bf3856ad364e35_6.1.7600.16385_none_b323fd6ee3f98653\label.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..cesframework-ctfmon_31bf3856ad364e35_6.1.7600.16385_none_f9257e7aaa4290ce\ctfmon.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_14e6e9dab736481d\jsc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_eventviewersettings_31bf3856ad364e35_6.1.7600.16385_none_50ecc9ae1d642aa9\eventvwr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_3575d2dc8edf4a22\diskcomp.com_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Journal.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_fa8534ab236134c4\rrinstaller.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\umount.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-utilman_31bf3856ad364e35_6.1.7600.16385_none_5e9ea1964aee5579\Utilman.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\ehome\wow\ehexthost32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iissetup.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-infdefaultinstall_31bf3856ad364e35_6.1.7600.16385_none_c8897566b5c070a0\InfDefaultInstall.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigSetup.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..sor-native-whitebox_31bf3856ad364e35_6.1.7601.17514_none_ff1b74d24817a82b\RMActivate.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_fd9ec705e687f8c2\WMIC.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.2.9600.16428_none_dea50217efd0356b\msfeedssync.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000007c053a470fabbac23f35c5029457d2c23792b86def113328c8f3863b8c4c0dfb000000000e8000000002000020000000f2c1dbe98311f735e922b67ed7cd27004f8edfe743367a2a790df578f774fb772000000016f71645d4372fdf5a0385b86daec8232806688b8757886834881fe5ae11769d40000000971c1f4baa1878c3cd37a93fa8feb94eb0978aa4b5f3fdab83fc19a5063dc25c7d05c1c9e657881094023177a4ffc9b9c995aa075ebc2ad3c2c1db3fc5e5a14a	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09fbf494199da01	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420452699"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73778E21-0534-11EF-A34E-5E73522EB9B5} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000003da21856b15d1851f37075836bc1686a5962d24770690b5875cf5d50fad5d7da000000000e8000000002000020000000eaedb9bc0c183d99586fc36c33f1198af131f0360d4aaa2c3cda547f233e963690000000a0b353aea8cb79b878a456e3c57e2e3c53c4e3433275dc893455a4f620008d6993452e487a1a685cd1a0de30f899f34830ce17a150b8167fd01c378f136c1397772beeff2f1a32d0bdb669d1c575d0e829e553941ee762bda92e3f79be76059679487d922218a7615cd84a085853ad596d849503b9f32a8e019c92cfbf90d93c34bf3d3eea5e016e4a73b8fb3c296838400000002d2a8cb35244221487c08dbb2fb81e621b417ed7960882d6d49a7a691c7101cb4e0aa53eae6909bbd59d42e073c5729444a6bfd25a2b6d27ef0ec7e9b5ac0865	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

2220 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

2220 IEXPLORE.exe
2220 IEXPLORE.exe
3044 IEXPLORE.EXE
3044 IEXPLORE.EXE
3044 IEXPLORE.EXE
3044 IEXPLORE.EXE

pid	process
2220	IEXPLORE.exe

pid	process
2220	IEXPLORE.exe
2220	IEXPLORE.exe
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE
3044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2204 wrote to memory of 2220	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 2204 wrote to memory of 2220	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 2204 wrote to memory of 2220	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 2204 wrote to memory of 2220	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 2220 wrote to memory of 3044	2220	IEXPLORE.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3044	2220	IEXPLORE.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3044	2220	IEXPLORE.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 3044	2220	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
27.9MB

MD5
7456abeb1e98ca2fdff15e0991f41160

SHA1
c92bcbd8606da845e5355d230b0301db95499037

SHA256
bde2af2a9c184b42910ffa988a2583ca84386fd11f3611881dacecb093fafdae

SHA512
51e574f2b3d92247bdc292d17187e2bc8a9f3993bd0200d4b4e9b7b79e47f721a9b9722f2986c73fb87be6b6bb6ce7d903296abaf3b4f46bbfa157af412d842a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e51e53f074fdd58153df9d6f193892d9

SHA1
4e09e660ce48173441c8a04d473dae37492cebba

SHA256
e86def83f89af3ed927482e18451efdedd800f7977fd142c08c3ff38c9a8f2c4

SHA512
1e4e959d09a7691cb04827c90f5a45a33af0a1096308607f3d1e31f7d7db425a073b3bc1e8731c6b27a5a3e23d3109bbc611234060dcbe732395a4879f11823e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e2a2c0f3e1842dd173c2ff5461cf6cf

SHA1
b30041d4dd934f083f2b44ee4eb456aa10493649

SHA256
ecbbfae9e1a56d7ef9931175d5044ed103f0b5f758877bf72b0f1316c0cdf8fc

SHA512
4089af63741577675a542215f8d02804feab97b3ab8a89fd89259502a5aaae07617ddd456d1cdfea2d85524f0f15d8c5c69d63fc7809faec85297e5a3aed51f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a92f91fc01b0d648b0efbec7173c5ac

SHA1
f6ff840c8de0cdb0d2bd52484dc6ec04704c6b8c

SHA256
4c9f450e94673e59201d429464fb26029621d1c9faa47e03d47647205205eb08

SHA512
15e9e7f6123766f23d3c88316ce7b0d5ce90a5493c7980cd1efada1c97507efb7709d45d1216e0ececb5be32505f04447aaa105b5d792781346a6170a6ceb5e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9b1c9287e6633f742fc08a8b15dc00bb

SHA1
f0dbe189732b3020b0f61fdfd3780f44a27a9de5

SHA256
e6503f3728cd43ce2c46ab77eb8d44213c56f33e90c19bba24422bd7f15a321e

SHA512
a9529d17b0c9018e47076b596e51fe19dbd30f12e9a13695440970e4cda7af73644fc82b2a31b32b571e2926be0c381a784333fee25c08bb058dcc481f87a68c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4051bd266ea09702905d19d28e8bbaac

SHA1
a3f0a8fc13b7e14b0cfb46fa278a1b3019ce69a3

SHA256
16846a57eb3a08916e3fd3164754336040e740fc95110c22d13a22a13ab00fd1

SHA512
6551f0cd31502bcf8fb91791f2de0b9592ae5268637481d2838cbdb55750073c7631ef375a576f27b219681a957cdaf65531b1e33955f02feb01a3379d5c46a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86b0ed16c1b4b9ffd951e9253d81805a

SHA1
2719aa8643120977db8fea18684bfdf22c00f3e3

SHA256
3b0cf701a00be808d40d75055b3f413fe2da0a37c04cbcc2e47c686f719e3667

SHA512
ea552d43f76e33cca47e34ef274f2676dae1005fecedf210aca54db9b1ff26b8080427b1d974cc5b133bd90593f6ae7c73593f43ba22959b488e1d339134a539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1a3805163acfc86c66b2dc00cefbb65

SHA1
f10672f15c2c0a29e4be2db877869f2766834b48

SHA256
42747b41abdd17eefbc9ceb079023ba00ae4b323e5839d00c11ccff234db9903

SHA512
74fed2e79d86631b4270021bd171ac8fba35034019a3c43f9d29df3c706f654ce21c6cc445216bda04b0bd1db4e611a51dc64bf38bb937091b9b4939ece75fd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5b469f46b0cf8e8b7f4776b4a0e1ca7

SHA1
9fe112ec4f03895270741485ce9c8f7370c8f560

SHA256
d29777496cc7e82edba1f6c4e6d416798b10b07cd811ad1305f2318afd494c12

SHA512
3b138b464a8273deca817999ee47d5d5909a424520760d5e3c000b35562eaad37782b98279c3db8baa814a185d0e22dcda9daccd9a3b15cb0e48c9abcdb28912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13d0168a72fe4cf440d1c6eddcd9c23d

SHA1
9f517c27d114d1bd79ebadeb8defde9006b020fb

SHA256
659a6299b663fd44857c8c3cf126b2150c4f2310f8a394f3ddd7f32c2d025767

SHA512
15c80224e34d53d721885de6da50e215e4f5d7843b72dd8b058e1a428563ca946e74ee7db8e08d4f96e475fc4b700cb06a30b8f6237134214aae8d07f93f1601

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8338207100416f1d0487ab1a9f2b2cc3

SHA1
004fe8c2e8ae8b0c90afa97e5dbba81ae120f5b8

SHA256
8c634a4733f56bd8d88d0b588b23d351633b1dc6ba741f7753292a5b97785d5b

SHA512
d6ebe494614ee23a27e054fd5946f21586cc1a96aa542eb11eea0b10cf724f51f7978e91215a1bc93c21bf0168eec71b971aaa678babf04e5cec90cacf8fb5c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdadae570e0176f2597f75c9270208c3

SHA1
957374ccd9bb7561c8e2e0f05235cb67fcfcbd2a

SHA256
3ef62a6927c0da933e6a3bc7e04737988ab04a863567eb9e5d14565dc1dc54fe

SHA512
319dd59aac0a07a6ba7d150cd9e0a5f1a2e584f4aeeca985c93f9b9321e249693f6e1bf4abab5d803caff854beb705575942b181126f1557d0456c1616373c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1264a0364b638b12cf863a255ccb59d6

SHA1
b908c1b05b29d85a2e5cfde7294d7363cb5c7fc7

SHA256
ead8dee891d05feddf30a129e8d9926d8ba07129e8e46213d8f802c828a92b13

SHA512
99727048875b26c904467d90af3d7792df233553c619e93501ee4b42eb2d52b868395be311da997f9b7bb6b88b5ce6e4af78eab45abf85eb7ee4c5ad60892bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca432d6d8d94151c52b1fd6a6332f84e

SHA1
c78b2d4ee97c83b243708a29c6cedc0d7e8a1028

SHA256
72bc936938ec86888ff42761dadf6518191dbe129b431e329bbe83f8fcfc4696

SHA512
485843e6186b68ee2026c7058b72b2b780312ae2abb6c7316f10b9e8e8811b39a9c1032294cee3b28e941134434ae8377f0dc61975608137e8559c3586180ac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
170c5247dc5a3e7efad832cfd857bf95

SHA1
23f6eb298b2614df1609f2c43a5d6c618258ba1a

SHA256
14fc610cde53a1adca4150f6cfccc1d7ef4c9bacc4c657d8b32bb225e218cac3

SHA512
0972e19c2ba6ef644ad77d3d5b114b708ad3e9fdccab7dd97b4ee3c0d7bd4e595ffbc61d1a97b7632c191a1580be0c35a98b63151964eded4c6f41ba59c8e093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
decb8e086fc6a5138b4b3c79a05994b9

SHA1
35c2fc196c126d7dac9fd82fae7638b528325a9b

SHA256
8755c05a86b68e84cc97bc76cdec3e7f1f363f1d7df5e15aa4e02fb78febdff7

SHA512
32e3c2a7d1afd4af6f1de1f6ada8f088c15ecc44669d690e5704645207f437e470fe7c1ee5e13e389cef47a697f73f68651db83dbae6117d2858dd42bb2a814d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c1e0c9434df9abf5f7653f82ab5dbfe

SHA1
92762c6ec43c18fe9ca5ca745209bf8a211407a9

SHA256
9c1ebe6bd8b10a6327acfeb4a9542c091b27b33e21e3da5e9a780afad675ba5f

SHA512
cfe0b0da9f8c64f6113838b6c7d6b241bc7673a100389d7dd805989a5d8b116fb839c2879b8e9e4e16c091092bda29d3c0b0084e1a7d72f07bf77e638a3d07ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f978517c1a53075ace7cce06dc08d24

SHA1
450f050e28833ac6bb46963c1831061b019ce60b

SHA256
33250162d026f0abcd440765ab47bb8661c4fbdf89f316d6237cf6dea9b31c12

SHA512
bac543e87f65fa3c4022b3eacbf41e9a06636e05da61ef6d2efa2ad06599b58440a5710726e7e39a5bc0334cd4387ddd8141cc06614c7b4b1ec5319b1ffbecea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eed0804604d7c5af2e47082798b7edf5

SHA1
97410825afa63c26fad11297d89c95e70b08ba4a

SHA256
b2c8688b08cc03dab21c548a26ab43ce7b7280adc702674b4619558db974dffb

SHA512
f337683f93117a1eaca7341458413033c2cbe106520f788bb82283cc8728e2587985f8c5d1fd9b2c921a368cc612089c6a32eb3348af7c77e05834abe1c4db11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
729933b55738790c27820f56f60be0e7

SHA1
222be8c7126252dc8e1950123f788baca79d3bf1

SHA256
c13c18dd3b2a782b2822b2d40b80e764cc5cbf9520bbead812d673aa601a2f2a

SHA512
27340f0116e66b97b378ae6a0c37fb5ca2a6995e8ca1fcf898b4bf944b2c9b9c179f5052bcce800743844d9a39bb20aaac768d96bd66a341c266639a8322d98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab513F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar529D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit