neshta | 382186b7b8c931372d24d2a07219ca68e6bce2b968b97912fdb732cf27e5fce7

General

Target

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
Size

5.7MB
MD5

0533a02e3cae4a36d65e79089914e3ce
SHA1

fb1bd6eb516f151c91f18c073339ddb993e64baa
SHA256

382186b7b8c931372d24d2a07219ca68e6bce2b968b97912fdb732cf27e5fce7
SHA512

23fe76802ca870109b63cf3465c3bcb5b2a2580751caddfb40664a086e80f9722b0443531ee93a77cdd9941be3decdfb7c35a2d6e3db7e346367fdeae7312783
SSDEEP

49152:Fl/ijN5j2Xsl3RJ3LHobUQDgok30nwHzsOyCPOEqCN4MBciKOyCPO5YcM1:FlerjesRJ8YQU/ooPOE1NfciZPO55w

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\905c0769f9a06c95a24ddf945\patcher.exe$	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\RMActivate_ssp.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\forfiles.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mcbuilder.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesHardware.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\MigSetup.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cliconfg.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\upnpcont.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winver.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mtstocom.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\timeout.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuapp.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msra.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ARP.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sbunattend.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wimserv.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PresentationHost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\setupSNK.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcconf.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SetIEInstalledDate.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\UserAccountControlSettings.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\where.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wsmprovhost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\find.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HOSTNAME.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netbtugc.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\typeperf.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PushPrinterConnections.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sdbinst.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WinMgmt.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Robocopy.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SearchFilterHost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\setupugc.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DeviceProperties.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskpart.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bootcfg.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ROUTE.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runonce.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drvinst.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tcmsetup.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\migwiz.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\syskey.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\doskey.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Uninstall.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386\wextract.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-restartmanager_31bf3856ad364e35_6.1.7600.16385_none_dc2a59723dcfa2c7\RmClient.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-soundrecorder_31bf3856ad364e35_6.1.7601.17514_none_fd2f4b124982e400\SoundRecorder.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..lified-chinese-core_31bf3856ad364e35_6.1.7601.17514_none_763763505e93084b\IMSCPROP.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_4458ac8eafdacbdd\isoburn.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_6.1.7600.16385_none_9243b833ecd918df\baaupdate.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.1.7600.16385_none_9ba1049ce0053bef\ConvertInkStore.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\sapisvr.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_431b58a8041530aa\openfiles.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_7288349cbfd37b08\taskmgr.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-winlogon-tools_31bf3856ad364e35_6.1.7600.16385_none_f0686b7ca6acde00_mpnotify.exe_bd6992f8	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_7351a917d91c961e\expand.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-efs-ui_31bf3856ad364e35_6.1.7600.16385_none_5269b9a9a14782a8\efsui.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcweblauncher_31bf3856ad364e35_6.1.7600.16385_none_5846a8771b202706\MediaCenterWebLauncher.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-rundll32_31bf3856ad364e35_6.1.7600.16385_none_33fa4336c49b998b\rundll32.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\poqexec.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-linqwebconfig_31bf3856ad364e35_6.1.7601.17514_none_b532bb17fea7ee9a\LinqWebConfig.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-forfiles_31bf3856ad364e35_6.1.7600.16385_none_b1186146f739d0f1\forfiles.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_ae2743278c281682\net.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7601.17514_none_3471a890d8284f57\spoolsv.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..-commandline-editor_31bf3856ad364e35_6.1.7600.16385_none_8d8925a444607f8c\reg.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..platform-input-core_31bf3856ad364e35_6.1.7601.17514_none_2f3651e7f36d703f\wisptis.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_52db65a773b633fd\ComSvcConfig.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346_drvinst.exe_6593e92a	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\change.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..utermanagerlauncher_31bf3856ad364e35_6.1.7600.16385_none_ea0a643b0e032c19\CompMgmtLauncher.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-edmgen_31bf3856ad364e35_6.1.7601.17514_none_0ca1fd81527e1e9a\EdmGen.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehsched_31bf3856ad364e35_6.1.7600.16385_none_0167f08155bf1c81\ehsched.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-filtermanager-utils_31bf3856ad364e35_6.1.7600.16385_none_7582a4a93f08b488\fltMC.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_0b11635f6f2987f7\ftp.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe$	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-iexpress_31bf3856ad364e35_11.2.9600.16428_none_46d2efef53c02386\iexpress.exe	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5_hdwwiz.exe_b6a1c2df	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

pid process

2868 0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

pid	process
2868	0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0533a02e3cae4a36d65e79089914e3ce_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2868

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$
Filesize
5.7MB

MD5
0533a02e3cae4a36d65e79089914e3ce

SHA1
fb1bd6eb516f151c91f18c073339ddb993e64baa

SHA256
382186b7b8c931372d24d2a07219ca68e6bce2b968b97912fdb732cf27e5fce7

SHA512
23fe76802ca870109b63cf3465c3bcb5b2a2580751caddfb40664a086e80f9722b0443531ee93a77cdd9941be3decdfb7c35a2d6e3db7e346367fdeae7312783

Download Submit
memory/2868-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads