blackmoon | 2785534bcddf14cb1ecb061d6f89ba096acc0fbc6420cf7c1ab94e4d7e56cfd4

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Size

20.5MB
MD5

04fe0421c613a5769dcb79c278e416fd
SHA1

261b98539b4cb6e0cd5e4e1af740e736159dadfc
SHA256

2785534bcddf14cb1ecb061d6f89ba096acc0fbc6420cf7c1ab94e4d7e56cfd4
SHA512

604a81e79d75437e65514943748e19b6ea7e971adf3a44c8fe1051fcd160143401ed523719c8f45de7e510be411513e455a68f5253c4abfa4efbd0bcfc34cc69
SSDEEP

196608:da9+6Y7SOEibgRavvghmI3HoGgnbkPa9+6Y7SOEibgRavvghmI3HoGgnbk:dFgRav6myIGTFgRav6myIG

Score

10^/10

blackmoon xmrig banker evasion miner persistence spyware stealer trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000400000-0x0000000000613000-memory.dmp	family_blackmoon
C:\Program Files\7-Zip\7z.exe	family_blackmoon

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2000-0-0x0000000000400000-0x0000000000613000-memory.dmp	xmrig
C:\Windows\svchost.exe	xmrig
C:\Program Files\7-Zip\7z.exe	xmrig
behavioral1/memory/2556-219-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-343-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-344-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-367-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-368-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-390-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-391-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-746-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-747-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-748-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-749-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-750-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-751-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral1/memory/2556-752-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig

Sets file execution options in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2556 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2556	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\LocationNotifications.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\raserver.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmdkey.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hh.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sxstrace.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ribbons.scr	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\charmap.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskraid.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmstp.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnscacheugc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsutil.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net1.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wininit.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\w32tm.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfhost.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RegisterIEPKEYs.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setupSNK.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\subst.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Mystify.scr	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logman.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rdrleakdiag.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskperf.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiexec.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netsh.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\_isdel.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SndVol.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wimserv.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\WinMail.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\currency.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\wow64_microsoft-windows-xpsreachviewer_31bf3856ad364e35_6.1.7600.16385_none_7b64ef799c494a30\xpsrchvw.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-calc_31bf3856ad364e35_6.1.7601.17514_none_abc56b2678fe1108\calc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0212532a5cdf4b5f\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-13.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directshow-dvdplay_31bf3856ad364e35_6.1.7600.16385_none_5da314d233bb2676\dvdplay.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\wow64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_3eceef6140ec9728_printui.exe_bb673fff	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..iondata-cmdlinetool_31bf3856ad364e35_6.1.7601.17514_none_e6510234bbcb2a8c\bcdedit.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.21863_none_caa8f7c0e409a91f\ntoskrnl.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\401-5.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\config.json	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_11.2.9600.16428_none_a827c83273877b14\ie4uinit.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17932_none_d088def7226177d5\user.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\BitLockerToGo.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_5cbb962a4f0d58c1\comp.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\picturePuzzle.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-iscsi_initiator_ui_31bf3856ad364e35_6.1.7600.16385_none_d7c180d4bd657495\iscsicpl.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-consumers_31bf3856ad364e35_6.1.7600.16385_none_a6c7190f7292676c\scrcons.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\ehome\wow\ehexthost32.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-setup-support_31bf3856ad364e35_8.0.7601.17514_none_3eb101caec1acc2c\ie4uinit.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_23376bf5921e7b63_auditpol.exe_83c870f4	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runlegacycplelevated_31bf3856ad364e35_6.1.7600.16385_none_10e2654156a06b06\RunLegacyCPLElevated.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ConvertInkStore.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\ehome\loadmxf.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehshell_31bf3856ad364e35_6.1.7600.16385_none_95955bd51390781b\ehshell.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_4a83748394a862f9\dialer.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_100033cd17b788a3\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_cde90685eb910636_winlogon.exe_ac37d0c5	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\msdt.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-8.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\500-17.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\406.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-recdisc-main_31bf3856ad364e35_6.1.7601.17514_none_e2a1ffe0ca40cff2\recdisc.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5b0078129ae2bf07\404-2.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_it-it_45286e597214a485\403-17.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\401-3.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-ielowutil_31bf3856ad364e35_8.0.7600.16385_none_7d25450501edb94f\ielowutil.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-write_31bf3856ad364e35_6.1.7600.16385_none_5f5928533e6b72c0\write.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403-17.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_4cc4738d82efdf85\makecab.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3d8bb37f97ba22ff\sdbinst.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_7a1e2959bc43abd5\DpiScaling.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_48ab2da59753f08b\picturePuzzle.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-whoami_31bf3856ad364e35_6.1.7600.16385_none_2a716ffd9b872f68\whoami.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_6.1.7601.17514_none_fed8c13f0d90a8cf\WinMgmt.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e74ded66652fb660\403.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sxs_31bf3856ad364e35_6.1.7601.17514_none_0c72a18b6e43457b\sxstrace.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\shadow.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_3575d2dc8edf4a22\diskcomp.com	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541\drvinst.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_d7dba7b30c3e2855\rundll32.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_e1d294682a365d27\tcmsetup.exe	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c3672adaf7f9b591\settings.html	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0f8ccf36b90bab3b\403-3.htm	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Token: 33	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2556	svchost.exe
Token: SeLockMemoryPrivilege	2556	svchost.exe
Token: SeLockMemoryPrivilege	2556	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

pid process

2000 04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

pid	process
2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	pid	process	target process
PID 2000 wrote to memory of 2556	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe	svchost.exe
PID 2000 wrote to memory of 2556	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe	svchost.exe
PID 2000 wrote to memory of 2556	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe	svchost.exe
PID 2000 wrote to memory of 2556	2000	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04fe0421c613a5769dcb79c278e416fd_JaffaCakes118.exe"
1⤵
- UAC bypass
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2000

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe
Filesize
21.1MB

MD5
e2ca1bcd6700bbf0f07faa1b6fefeaf0

SHA1
8d9816faf7eef6d085efb9f6ba4935c6ee65c7dc

SHA256
b5856d79df1cf39f6ba77acfdfc121f36c2c5e58415ccabe2be4253dba4b5a9c

SHA512
3f312e37cc04ef03c50d7110f79f953e6cdb665c314943547a859fc96431da93028925f27702063decfd3c6b2fb699c359d64b57e469ccee622b4ece41ef81f7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html
Filesize
16KB

MD5
ed1191da9c4f74a60d695a25686f374e

SHA1
3a427657c16a716be332587425101653c25221d0

SHA256
ab8cafd1958c27d70adc747259495e35592f8a06ae00969964f5f34f72896f3f

SHA512
68098c1342f87939b3f57cd3e3a799ff316d2f1eb5c52f8d9c0c9e7c214281bff68a1260a91527b7175ad031798f42125cf9ee2e0d49772eb03b5836b67d9fbf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html
Filesize
6KB

MD5
657eb3527d651515f97b960a67d19fda

SHA1
27404b587183bc2f3b3b6919fbb91892f505b60d

SHA256
f301745232a72d84f277980ad53b65d94b02479369e8b73fe0e6717adcf11a35

SHA512
1085550a8844de081a216bd864990e56fbe91498fb6186cce435173ab73e29932e7b8182078cd2876039addbdb7e3c9769d7d7923f7ed2a5422e6a2a36321b70

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html
Filesize
12KB

MD5
cdea5d1cccee27144519c75bcf3015bd

SHA1
c36862abb1ada006b3dd4c28adc8b393a92fd325

SHA256
1184f2316c36648a2d457b602c713d5d5eb980e86e5e8ed388e94a47f8573dbd

SHA512
5d0ea1cef2af7111098c19578c42bfdfd7bb00ec3259fe026df6dd867a24f9a94f3299b035235e3cb87b1c9010f0d1be434a08318dae0412e03ecfdb439edfe9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html
Filesize
9KB

MD5
bc3e199345ad8ba54e2fe4acad95433d

SHA1
c93cb69c27e1c03069de3c952534a52f391e3fb9

SHA256
462c197c83ee3d677b07fe000b2c4e64ac4be4ceaaea80c1c77a5e67d832edd8

SHA512
c1941c9106ff0d665dfee1888afcdc3c54e4db8fdb11e3313cd92a147a1084264dba8f1f9cbac5216d3c5ce1f97ff7f8d7d7493826ec3538d5db57a933fe32e4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html
Filesize
14KB

MD5
59e4add1732aef6b8e228ecfb880c299

SHA1
31a6380e878f89ec9d2c83716fe42faafdd828db

SHA256
089aaccbf4c17d2a0163f13820e926f8ce3122c9ed87e7e040a77439795b8fc4

SHA512
461240638f98f92a0df94a6a76470d7ed3a9bf45f845b545ff37355efd4fb3efdbe592e563b6624d2e42374a3bf7682a572c3bfd96c21be87fc96ec3b3bcfbaf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html
Filesize
16KB

MD5
26986f79440b7a706b65724e509f009f

SHA1
9d8ff0beef1c19fbecd28e3f632101acf3d02599

SHA256
e59b7fa34b947d5ada478ff17543204251955052fdace284e5a285bd2abec5d1

SHA512
2c240c4f7b8912bd5049bef22c2507c7c1af15432c860549d0f1ea35f03183270eb7315607fdf35be86703a61ec0ed7801e9e6ea627a026dbf93d98ff11d2ed6

Download Submit
C:\Windows\config.json
Filesize
1KB

MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe
Filesize
833KB

MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
C:\vcredist2010_x86.log.html
Filesize
81KB

MD5
a79acb14c9a875cb55b71dda3da29336

SHA1
920d824765bdcc454ce6dc3f4b96873db994c729

SHA256
a49f389ea264ae53fb7361c5c473935b9b7bc17cbc56b6fdbb4e38497ae5c156

SHA512
2ee83740eb394da41efbd4eb400944c19877dc8c8a39946ba09fab4cc29f91075c8884e7fbb62c2cac0267b3785509bd65613a218eb5e9fa0c568dde8c875307

Download Submit
memory/2000-0-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/2556-344-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-746-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-390-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-368-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-367-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-343-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-219-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-391-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-747-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-748-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-749-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-750-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-751-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2556-752-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download