e03aac26896597ff4ad379dbc8efb9c512c74ad506d9d7b4971fd3d15e47d331

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
Size

176KB
MD5

0533fe8004c74eba34f8276b403b1099
SHA1

a238f5fe4f01d30cfeeea0e4388b5c5a861c1263
SHA256

e03aac26896597ff4ad379dbc8efb9c512c74ad506d9d7b4971fd3d15e47d331
SHA512

3599fd9f8800098bdac353286456cd75514c412924d68290c42f8e55e9c360a061464c372993498d54ffedc42fdf5d1a30e90523e8ce52e8dcfc11068c6c8a96
SSDEEP

3072:dQIURTXJ4jC4MJBi3FFYBDetjEw1kCNc4/Ajdf2MoirZjrZfqBw9QI/QalFPNmkS:dsR4MK3k4tjEwGQHafxxZfCw9QBa7NDa

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\G:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\I:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\L:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\P:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\T:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\V:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\E:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\O:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\R:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\S:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\Z:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\K:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\Q:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\W:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\Y:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\M:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\J:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\N:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\U:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\X:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened (read-only)	\??\H:	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

Processes:

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\runouce.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe

description	pid	process	target process
PID 2988 wrote to memory of 2380	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
PID 2988 wrote to memory of 2380	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
PID 2988 wrote to memory of 2380	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
PID 2988 wrote to memory of 2380	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE
PID 2988 wrote to memory of 1192	2988	0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe"
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0533fe8004c74eba34f8276b403b1099_JaffaCakes118.exe"
3⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
d64d12ca44228547e952185058fbcec1

SHA1
3d263377243f3db8cb237c47dde7f1b11be3796a

SHA256
6914b42fbfeff6ed721dacca2dd52876a58011eeb674efd4650c040116bf7800

SHA512
471c38434f8b3659b07400a5433dc3c0435bff4746cb22eac87477cb413858886aab85542a31d5b6b63710014af324a8ae5da8085c4347f0ba06c1d6c45a8f85

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
0d45ff51f8a8d9e79c6fbd950ffbc04b

SHA1
1ec390d730d0179e05196c9feb653f1bb1e7d1b7

SHA256
7e3addb978ddc5a9ae61a36e76f27b744a4eccf05b2742d45ab247381b05a533

SHA512
1afd65a3332aef34082d67e8e4c99bb73ff3392611ff0bbf9353bd0b9c355675eae5723cbe1da4be6c25a1989a634db4feb55e3550296eda879814d57a95458e

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
9c18b895046dff8c6714fad36ae9902e

SHA1
5677e4186e1f56beda0524370748124f93b1dafc

SHA256
98d100e15b3c665ab24c309140a952e941f9b0834515bc488e114e0483371d95

SHA512
bfd0ce8302b6e87bbaf1779d3483c4b70d341428c7dc096487ddd66a5e057e502416e6a27a5ea9b4b9bb70ac7fa68ab422b177d096063e447dda208c48dcda3a

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
bb5fa6e9c112b50a1e9581ab28b53578

SHA1
dca2a88dabce46addf62192ff7eea7430941bb97

SHA256
f2eb1cf2432dafbacd64d23ece989d2c88d270de0fdc1e425783e0e42cef42e5

SHA512
d43c4639e9c32af75c3d1ad99e3542ffcf35c3cc1fcd95751d73383311d1dfd53ee3bdeabc600cc5dc8bb06c9b3b7bb46bf5f00b5d5d8c6fb51636001e9dfb89

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
9bbc82697840ab678998effd25d25e2e

SHA1
16e7a4498143790087949f20640daf93b1347d8f

SHA256
4aaa7b1729deb98b36ea0eb15f00b71cad2a143ab69cafdec882adcdebfcf33f

SHA512
0ee0349849dbddc11fe8eaf8b07636611ebdba77853d2cf8a0b75cfb3f2064c87bd8d1a94b6a3a1d1604088eb1505ff6db4af482b9f006d46961551ec483c80a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
f3080470a544acafba32f56f53b0f805

SHA1
366f67846580ac6655a153fe964684e6bcda0e22

SHA256
28bd705b20a50ec5ca88aa704fec530f990d18c74ffcbb0ee32d5034345d6c3a

SHA512
aa819c4b7c581123b411289fe38eba9d0ad0e8009925bfec882a07aa615a8b53f299295b0900bd35259effd470926add6e4ad0e0f297d6f8979fe63686b78e98

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
88d05554982ce9773b9b3b9d2f562cb9

SHA1
c823bb2ae3d441baac8a4e6e238a43afb456c24a

SHA256
b88bcab1b2f6ace22f58b23f03c586c4d998d67c8b2c4bccd5fbf386bb228494

SHA512
567652e893a6e7ee08f60a7869779fc08c37c7be709a81123210609a0bded1329a997abf4f65e339397b20780fe4446dbf0a111f81f9ec2dbe1331f18612242d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
8c500844d9c8d1dcadb8dc988153d743

SHA1
1cd499a0732d5007625b67a0ceff32b0eb4e4912

SHA256
e2a2f47cffe38e77c58670a3ab7a0f8794911715b310632212f358f710a08169

SHA512
f0bd512add296b92d075a0adf03bd71fae469c05d8eafa6031e36c535ac5fb8ff42bc3cc14a7cd71004f3956ce5c58bb541049154163e3240b09df9e7811ad5d

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
7bce1f7c6285fe7155f4777ac59ec0d4

SHA1
ba60a65cf816f821b4597f219ae264d4f1138722

SHA256
3d57968c488c11694b2abe07f118f3e2300c7246b1bfd856b484f8b19858b0ad

SHA512
8d10a5d9e5fc6cf16f43f276a3d3cc1729fede3aa64c9e51732c3814068aa874abfba10bc07aa20196f4a0c6af023c94f9af7b10319930b5881e721dcddba60f

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
58891f3adf2d5ad59e516a59cdd87d39

SHA1
c65456130b03e71895ef698fc4e50bfec4fb7b0e

SHA256
fc36a259bb42d93c9c8a1d4cc3b4aed4f84c2b2d0a0408345e67ddf3caf5424b

SHA512
b8e54547796455d890223900d605a3df956380b7fe547f7eaaa16175c87b53c53e3da42d05bb2408b31689b48676675323b345c9a3ff9c575a8c83626e8adc4d

Download Submit
memory/1192-3-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/1192-4-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/2380-437-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2380-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2988-853-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/2988-658-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2988-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download