1a7f568d562c3f85c4f79b34a41eef8c4aab28c9d7677ef7b6ead11328f2b58a

General

Target

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
Size

20.4MB
MD5

04fe616619eb2b1a612fd1dd130f89bd
SHA1

99938d2adfcea7ce4a5d52061409a2462cebe835
SHA256

1a7f568d562c3f85c4f79b34a41eef8c4aab28c9d7677ef7b6ead11328f2b58a
SHA512

b39aec9d50fe175e43f1d9562c2fdfea734be0f921b4b5f29a2502a937142ea1c04fb89a3fc145f937e20a81cd16aaede6774259c1938defaa52869d9ff748d0
SSDEEP

49152:XYgph7GBfWgBYcMbHP/4MnYYJ2ZhqSGLHkJEMwDkYOMwwnMb4PmyVOz/4MnYYJ2G:XX77GBfWgB5rIDQdYOXwnS4rVOsIDQ2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\bootcfg.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ftp.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mshta.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\prevhost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InputSwitchToastHandler.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\attrib.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OpenWith.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Robocopy.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setup.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\GameBarPresenceWriter.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ipconfig.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\print.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\extrac32.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msdt.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EaseOfAccessDialog.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\shrpubw.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ktmutil.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\provlaunch.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllhost.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WWAHost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dtdump.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\replace.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unregmp2.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bootcfg.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certreq.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comp.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\convert.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontview.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\userinit.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\provlaunch.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\proquota.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedgewebview2.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mip.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\dotnet\dotnet.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaws.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdateComRegisterShell64.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.29\MicrosoftEdgeUpdateSetup_X86_1.3.185.29.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\serialver.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\rasphone.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-aspnet_state_exe_b03f5f7f11d50a3a_4.0.15805.0_none_5ffcb7ce21b4d707\aspnet_state.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_10.0.19041.207_none_59ba79211607f58f\r\WinSAT.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.746_none_bd9bc99304595128\f\ReAgentc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-dataexchangehost_31bf3856ad364e35_10.0.19041.264_none_c765d8a6c76ec25f\DataExchangeHost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-format_31bf3856ad364e35_10.0.19041.1_none_dc79f03629571954\format.com_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tpm-tool_31bf3856ad364e35_10.0.19041.1202_none_72f9f7c7a1b307dd\f\TpmTool.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-a..cation-creduibroker_31bf3856ad364e35_10.0.19041.746_none_4c95cf26b3aa5907\f\CredentialUIBroker.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-c..plus-setup-migregdb_31bf3856ad364e35_10.0.19041.1_none_ed965939376efbbf\MigRegDB.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_netfx4-ngen_exe_b03f5f7f11d50a3a_4.0.15805.0_none_faaa7cb4e8f21456\ngen.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_10.0.19041.1202_none_d081cba554088913\f\slui.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wimgapi_31bf3856ad364e35_10.0.19041.1202_none_fdbbcf53ca14e151\r\wimserv.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.19041.789_none_b38221af158e5881\f\EDPCleanup.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-e..taprotectioncleanup_31bf3856ad364e35_10.0.19041.789_none_b38221af158e5881\r\EDPCleanup.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.264_none_fe5852f864c5941f\f\wermgr.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..cymanagerbrokerhost_31bf3856ad364e35_10.0.19041.746_none_5cc81a54cf095c95\r\EASPolicyManagerBrokerHost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..verycenter-platform_31bf3856ad364e35_10.0.19041.964_none_21209b01f08afd33\SystemResetPlatform.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ces-backgroundagent_31bf3856ad364e35_10.0.19041.423_none_d8a242bf396f7d4d\f\SpaceAgent.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-web-app-host_31bf3856ad364e35_10.0.19041.789_none_1ab57d24625888e6\WWAHost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\SystemPropertiesRemote.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-convert_31bf3856ad364e35_10.0.19041.1266_none_1befc89391e44c23\autoconv.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_10.0.19041.1_none_c8306252df9627cb\rekeywiz.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..rarydialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_abd26b7610cb738e\f\AddSuggestedFoldersToLibraryDialog.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-filepicker.appxmain_31bf3856ad364e35_10.0.19041.1023_none_374973298940e35c\FilePicker.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_10.0.19041.1266_none_e40ca34e5de298c9\r\rasdial.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_3d198a3dbf54d1b4\cmmon32.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_10.0.19041.1202_none_dfaaff89afe4f3d4\vdsldr.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_10.0.19041.746_none_cabafbc5834ab93f\DisplaySwitch.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\fontdrvhost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-photoscreensaver_31bf3856ad364e35_10.0.19041.746_none_eda92e20fee7d318\r\PhotoScreensaver.scr-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-deviceproperties_31bf3856ad364e35_10.0.19041.1_none_a03b7086d9468b36\DeviceProperties.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..kgroundtransferhost_31bf3856ad364e35_10.0.19041.1_none_4475a86a4f1da227\BackgroundTransferHost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.1288_none_e0f8082a6952ce81\r\ntoskrnl.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1110_none_ac2441dbb712f006\sdchange.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sethc_31bf3856ad364e35_10.0.19041.746_none_40b989c5d3ea9316\sethc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.84_none_29cf9b86db5fb249\AuditShD.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..t-bytecodegenerator_31bf3856ad364e35_10.0.19041.1081_none_5500d10e49b43346\r\ByteCodeGenerator.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wsl_31bf3856ad364e35_10.0.19041.1151_none_f7be996d8409bfa1\n\wsl.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1_none_63e4d70575e86068\setup_wm.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wab-app_31bf3856ad364e35_10.0.19041.1_none_02ef1556ab50e6d8\wabmig.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\SecurityHealthHost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1_none_c26c8624c595ae48\GameBarPresenceWriter.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_10.0.19041.264_none_29367e02ede71097\f\wbadmin.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\f\dfrgui.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_c5675ea732c2eaa0\LockApp.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.264_none_6ea6dfb6393e5f06\r\DataStoreCacheDumpTool.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_8a237828132e61da\Pester.bat-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.84_none_9b0dd648f2c31f16\r\dfrgui.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_datasvcutil_b77a5c561934e089_4.0.15805.0_none_5b1ada239e3b0505\DataSvcUtil.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_10.0.19041.746_none_770f598aef14382e\dfrgui.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-edp-notify_31bf3856ad364e35_10.0.19041.1202_none_958d6588f50ca146\r\edpnotify.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-networkux-legacyux_31bf3856ad364e35_10.0.19041.1_none_d374a4c62c9f2643\LegacyNetUXHost.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..tofservice-oposhost_31bf3856ad364e35_10.0.19041.1_none_3d1291badd9e7f22\OposHost.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.207_none_c5e1b9def3522696\r\securekernel.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_802f96a5044b0fbe\r\wmpshare.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.19041.1_none_c780234a16dfd399\TabTip.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ommandline-dsdbutil_31bf3856ad364e35_10.0.19041.844_none_c171e0be75e709de\dsdbutil.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.84_none_ffbdc333a0778274\hvsimgr.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_10.0.19041.264_none_4a12028313046a9e\f\ntoskrnl.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_9aa166e99861c2bc\query.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winre-recoverytools_31bf3856ad364e35_10.0.19041.572_none_b322aa88d0148356\r\ReAgentc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca810000000002000000000010660000000100002000000092187121c21e41ef94efc6a0a4f79cdaeb47aa3b7065e79af7619a35e4cc84cf000000000e80000000020000200000003b33088a3084b13fbd86d02f59e373d548b3e0d02f8378cb0d43cd9dd8ea1e8a200000004ff9bd8ed299d511381c637fae919a2654f8ccbcf8a29b82c5f696dc4c5ad7ff4000000028aa98e6d723a73589dcb9bbbd82621d15b89f1d831360685b89ef5bc4cec31688f82a2f2f9fc7b6300298005383468703a4bb3a5fe86949ab100ca725ba4f62	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420462309"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00185a65799da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CD7CEE67-054A-11EF-8ED9-622FE37D88CC} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01a79a65799da01	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a0a2b07e19474409a5e998fac1dca81000000000200000000001066000000010000200000004bd8fa403f537ba79079148dd96176f50eb2f32c34fcbe9b77cb51fd7fc424c7000000000e800000000200002000000037a569e8ec27317c6f847f6e5a575984962ae918bd3e81988841952d183c37e020000000930aead3b4ebf16cf75d68e7858868452d96d36799765a8194164b4fd99bbf6740000000325c85b1ae3446582108cd50c1aa9f5a7eed03a3550e11e10b24da364759dec238d77cf90caaa51caedcaff13a7887f77d7a7ed5e6577d4faa0e3544d6521d0a	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

3488 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

3488 IEXPLORE.exe
3488 IEXPLORE.exe
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE
5024 IEXPLORE.EXE

pid	process
3488	IEXPLORE.exe

pid	process
3488	IEXPLORE.exe
3488	IEXPLORE.exe
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE
5024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 4712 wrote to memory of 3488	4712	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 4712 wrote to memory of 3488	4712	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 3488 wrote to memory of 5024	3488	IEXPLORE.exe	IEXPLORE.EXE
PID 3488 wrote to memory of 5024	3488	IEXPLORE.exe	IEXPLORE.EXE
PID 3488 wrote to memory of 5024	3488	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4712

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3488 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5024

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe
Filesize
20.9MB

MD5
d04d0b69fd7110a9e86f246271ad00b4

SHA1
e3346e535715a3c9c76178d13bddd70849f87bae

SHA256
196adba8431f7b53aaec1007c95494401049cf8725bb3468bc43c79a3d6119d1

SHA512
ac5caadb7fe835e7e5bd23ecb9e0d866a62f9b95dafae29af515a53579d065292f0dc2d0d5ceab887202c215d93014884f201bc1b12497c20386f5afd1a183b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads