4d625dc62c2cf5fbcd19fb5816ac278168bfcb561ee58acd433220b292cc3c6a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
Size

17.1MB
MD5

056518f26a873389cbb7e29591c47fef
SHA1

aeb62e0dfae894ec460b0fea6b7eb468ba1e7eba
SHA256

4d625dc62c2cf5fbcd19fb5816ac278168bfcb561ee58acd433220b292cc3c6a
SHA512

93eb81ace5f1a5ab9a793778c71ed22f04565eb5433c7e82a8e4852b5ac855a9b61c4848fc1826b964e015f51222a913046227f26c53f0f861f2f1a3bc8e0362
SSDEEP

98304:XX77GBfWgx1t4+Cgaw7YOXwnS4rV5IDQ61HMEYOXwnS4rVuD:vGBfWO1Gj3ISuQ61CI9

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (786) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\powercfg.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cacls.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\help.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DisplaySwitch.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\attrib.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpapimig.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dvdupgrd.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systray.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMESC5\IMSCPROP.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winver.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\isoburn.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SecEdit.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Robocopy.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll32.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\whoami.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nslookup.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\reg.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\scrnsave.scr	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssText3d.scr_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sxstrace.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\userinit.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printui.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tracerpt.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mfpmp.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xcopy.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\certutil.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmd.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\compact.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfhost.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\at.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\expand.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp_isv.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mfpmp.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\Install\{F6AFA7E0-7C65-4C06-9D81-8A9FA89DB845}\chrome_installer.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-a..ce-useractionrecord_31bf3856ad364e35_6.1.7600.16385_none_32c4b0bc55387f75\psr.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\find.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\bfsvc.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\explorer.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-anytime-upgradeui_31bf3856ad364e35_6.1.7600.16385_none_4aadf3be188c056d\WindowsAnytimeUpgradeui.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.22091_none_d2b1c721321aadf8\conhost.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\chgusr.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_9edabb9befc6e697\powershell_ise.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-w..ion-twaincomponents_31bf3856ad364e35_6.1.7601.17514_none_8b399e33ba72bed9\twunk_32.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_da3cb85562df73c9\memtest.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\ehome\ehshell.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-services-ehrecvr_31bf3856ad364e35_6.1.7601.17514_none_1b8f8373383de46a\ehrecvr.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..otservicing-utility_31bf3856ad364e35_6.1.7600.16385_none_d139a2cea567ce3f\fveupdate.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_6.1.7601.17514_none_6f4ef219dd693ca6\WPDShextAutoplay.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_6.1.7600.16385_none_b70694aa97134f37\rdrleakdiag.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.22172_none_86ab4a318a459fda\taskhost.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\memtest.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-directx-directplay8_31bf3856ad364e35_6.1.7601.17514_none_d6fc8d83d55eb77c\dpnsvr.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.7600.16385_none_a61138e7aab17fed\ieUnatt.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wpf-terminalserverwpfwrapperexe_31bf3856ad364e35_6.1.7600.16385_none_243595ae2cf3193f\TsWpfWrp.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pptico.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spreview.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_4f466e7a0fbb1a04\systray.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_6.1.7601.17514_none_848b402bf3e1c3b1\wksprt.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\dialer.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\print.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4008824c98f8edac\dnscacheugc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\rrinstaller.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_0b66cb34258c936f\PkgMgr.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_3.5.7600.16385_none_8c3cf176a8e91487\MSBuild.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-compact_31bf3856ad364e35_6.1.7600.16385_none_55ea2c71cf438ffc\compact.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-adminservice_31bf3856ad364e35_6.1.7600.16385_none_b65cdbcf116dd7c5\WMSvc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..restartup-baaupdate_31bf3856ad364e35_6.1.7600.16385_none_9243b833ecd918df\baaupdate.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16385_none_9e59e11166b683d3\PDIALOG.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_5aaf419e398215df\mighost.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..mpropertieshardware_31bf3856ad364e35_6.1.7600.16385_none_40d0db63344deff9\SystemPropertiesHardware.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\csc.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.1.7600.16385_none_41c821eeeae8dea2\pipanel.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\TSTheme.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExec.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_infocard_b77a5c561934e089_6.1.7601.17514_none_583a8c60c0b305a1\infocard.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sqm-consolidator-base_31bf3856ad364e35_6.1.7601.17514_none_326571587836a400\wsqmcons.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_5f774c61592c67c3\netsh.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\shrpubw.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-xcopy_31bf3856ad364e35_6.1.7600.16385_none_62cc00cc559fd4ec\xcopy.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\ehome\ehexthost.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-forfiles_31bf3856ad364e35_6.1.7600.16385_none_54f9c5c33edc5fbb\forfiles.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_114ca177b1fcad24\newdev.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrshost.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\wbadmin.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-ldr64_exe_31bf3856ad364e35_6.1.7600.16385_none_f98e4869675ab367\Ldr64.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\wscript.exe-	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\setup16.exe_	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5003f9517899da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B8D15D1-056B-11EF-9001-CA5596DD87F4} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000809198fac485169708b9b475ce8a638b35babeabda4c10d4c6c9b7e8a47f79c2000000000e8000000002000020000000962b6a77a561f073bc096f8bfd2ac2471f7b59ab01eca336946dcdba98196d1b900000005b25457161ccf3c549a57cac5a5c4a2210ebc463f84318e3e3452743e7f39c5e3e2f68f6e0a54e5b4362a1b45120b67010f3ed8307f0f629e3682795da9c03691249ec1d1c72547ab50550efd0cbef2aea78f6db143ad74b960b28f4d4fb50d134c480e371b019ad16f34db2ddb88e74359d14d471226902affa59217e1e49d37049d14b51dbf3b1d5b8e81138ecf5684000000043d3ec9ebb4e9b815e9d58c41ba29ee3d00b80145bc91a2c1daca6c408394891145d282d96a65089a813743aa6e50e738dcf1b25d69e7027ac29135b94337472	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000592b907d0efe37f39fa3df90edcb2d2f2713a110782441892b616bf47eb711a4000000000e80000000020000200000007bf3005368e493f02a67f548d510ad10c3666ffce5f34105cadf241ddc67548c20000000bc339c152091362c3ee3e0dcfad64f0bc8204956cd60dca247822f265170140540000000399bb5c9b993bc2782b53353048757d9431a51e99765abb0bb43d9a2f917d8f052d4275360f6ff260eb64660c5fe1ac1872fa749e4af0133675f0ace1f7a91cb	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420476334"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

2320 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

2320 IEXPLORE.exe
2320 IEXPLORE.exe
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE

pid	process
2320	IEXPLORE.exe

pid	process
2320	IEXPLORE.exe
2320	IEXPLORE.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

056518f26a873389cbb7e29591c47fef_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2908 wrote to memory of 2320	2908	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe	IEXPLORE.exe
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\056518f26a873389cbb7e29591c47fef_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
17.2MB

MD5
6681bcdfa59914719d49ac52a513e509

SHA1
f6c096fd06dcfcf1f3da38b1560867639a0e67f7

SHA256
6509eabd30b86ccb052d2b0fd7dee09e627c6dc6c7bb7f6ec5aef746266d6820

SHA512
a1d212eff8f4466de66d991c68959b177d5312fd5986016deb4c027f6296d25152d60b53426f8f888bc59b125eb57d3324ccca8fc206dc7349a965b8be40c9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d00e603c0d5c6847fe7a66486f8546af

SHA1
69af36c9fccf163441c3729750591c165ba576a2

SHA256
67b8bff5ae2af8f76f2766c88a42388f4f0f223a142f62f008a82d7224679cc1

SHA512
cbfbe5af9e3324e3f25fb631dd941b8c3207e90a01301795310b855ee26e9532bcc058ecd9b860a8e04cc17638715e69a43502b770b3cd62b350e973f5343c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
229626992031d653df14be89a3a239af

SHA1
4d83f75946de8451fbc8f1696fb9b7dad90b94d8

SHA256
abbcc349c7be194a3b13ae291da77a8893a77616e4027ce19deebb271be6c2cf

SHA512
bd40ef64c0859bdcc31200e2ddb2f62b85d1f608eea0b47438e7011283845c53ee0c193f675947e28bcdd21bbaaa043e8a8d827bda6922b5f388c45da09ff92a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e4fab80803a125e9dcb274f8149b08ff

SHA1
e438a6168f87200ee883bb6fa2a0ffb05f57d0d6

SHA256
71209b4ef21daad4cc31cc03efb17bdbc0156f39afaa9d0b30790cf891dd47a9

SHA512
99ce8ffb0c034054070e62c65d12bac39e8b040b5268de9b00da59bad0e4b80d574194506b3dd03d92cf49eecc1468b4a3cbda15fe29937d27d3a4d83a6eb52f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
89a73a360130bf4a8ce483df879d7df6

SHA1
6a815811694392a00d6db80d78ef7b6643a69e46

SHA256
269bde028b99d0d32d9014f3618d107a41e8b0ce6f0a94e5f19a396a440a3b6c

SHA512
a310d542e7b94d7af16f38465b5eb672c954dde3232941ea707496ab8561011c23b14a1ec339ea03f909362ff8034f57bc358d3d620856da7e6eb80983f6ca8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7fd10eab8ba4a85b36f81a1b3bd548a6

SHA1
07c263476e0e518e71e2880e74ed025ebf33aee0

SHA256
fbcd07a8af4168d0cd384282e2dd08676797bbc57e07411be3aa8325bed617d6

SHA512
003210309b627a431b3605a87bf73a453b46b2b20317acda21188b10d4078dc3b595100cbcfd4f7b8da49e720c4ef359973b293000098388554427018f30bd86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
789ce1f15ba56faa9ae9ffd6a72466c6

SHA1
42e342467066c9878cbcdd95c3d97da2d3c3d086

SHA256
80730299d6f42fcb4df5e748d7f6dcffd31db046e0057abbebd2936b9b392f85

SHA512
2f526b6dfd7710f00f96df90a1838de53a169f675f37f9601ff824bc7fc608a0b5af869a23ed81fa3d1c03173ff9163969981c655d2b91f902902add0e3c2662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
25fb5d026203dacc68503dc854f3bd3a

SHA1
4b169fd71d7f8cefe93b322bae90a71420ece04c

SHA256
101763dba65c7b190a9fe4a5a796df977f4eed2b893c6a007716d377c4441c4c

SHA512
a98425ba426de5c8da9993a45b5edb04a5f65f23fe04ced138c0ef2dd732f0660a38d0a87fcc4efff6a896dab0d3ee8bdcc23b72678a89687e992c76f4a485d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d090d70a1f81303592f6806f23eb0113

SHA1
d57bac781c1d404d0fc6692b5c24c35cad25be34

SHA256
77b6feaa642d2b0eb8e2bf037f06c841f5b924ec9c5ce7ab484754b9e3788f86

SHA512
dc9069f482d2fd3c696b269a105ee01bd012addc2964b1c5fed294dffa047b633f16fcc00c1b6c4921ae27a2cc58dbc27b5555b672019ecf0b0424712482c87f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0b9adf00972d62cb19e5e535782e0ca8

SHA1
4585d2ddd7c1aac44323a28394bcab7d1f5f56e6

SHA256
ad0fc7c8b89723d7c59b0bae6a0d3a6088522f713b1d29a66d1cb199089ecb11

SHA512
d455e7850f70ef1ac9f1776ae45cb4567e3f54f8e17e1526a6da1fd14bea6922aaae145c36ddf23aff80723a0c3768b7d3cf249f286eabef3091b4b3933c6880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
99b2769c1544efb0e1618162c57bc02a

SHA1
52307414ac4fb01ac2ebf2cf4469182b8116e0e1

SHA256
0c8f09f579f276cc6b0cdbad58eb36b149e4d2c8c1796d79e2a64c768741d227

SHA512
b342be8d523955cf31e1ae06148b999e60d292a992bf72b7a72377bc764936cf184afffb7032b5968147920b02c70111e76ad8c8fd5e630b34fc66d84dfc9e58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7338bc8354e6199bbe1506ffb5fb9cb4

SHA1
aa4e00d7cd8bb83f6efa1d9ed4701d24a91f3277

SHA256
82274ed69eadfd9d1f80011c63c01e92b307e46ed3e92645177f87fbd6e9159e

SHA512
62ff6c97b13a38b047cbe7fc65e8d737e3fcc92e88aa65940d68ba9d1ed28848c0e165a84ee29822b55e5993fde86b208441bd199c5cc90e0c33f5051cbb8b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3af29106f653f5ff2703b9d2434318dc

SHA1
2ff259f0310580c9c70fc6dde9541a5a5624bfb7

SHA256
9de5d895d5d43b77cd198dab83e8d66afe0efadf3c51cb3a03f04779f43cd467

SHA512
50eaf5bc5fc5b95a3fd9ae294d3e432efc43ff165c955ac48dfb8cc05ed10c86a8b5bfc8b8d13f77b59feb23003d1fdc166e8ea0309bbbb30f90d04b7bc2f51b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0ed1efe57193091e38516e31809f23b2

SHA1
e97218e4f522476fae2fc381bfaf1ef29d89d690

SHA256
52b351f0a451e85aba666c9603dd021f2dc7f5075c9a0ab7ad697d7ebe9e82a1

SHA512
a6e49ed58fd20ba94cc9d73b3a64bcc70206ba7f4e1d4e8dbca92d1395c77e8d48166b95c80eb8196a1e69be0d16a705912db9ff11fec55ef803e4ac7f8b86e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f05f576d1405056e5063be1aa898ec84

SHA1
5b2302a3a7b94b5745df0609cd710924053e019a

SHA256
916bac7ead0905e2f07994f1e166b046f485e7cf3fc62287469979de1f1e3bbd

SHA512
a31e065bc37a1d6a7ccd3d5bf7514dfade3cc4c7fb4744ee12709bc8cba86e0aa28137dfe4eeb1f1a78b033681b1bb295ec91717f8850f1158316f9c04af715e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
69b257b277e0f75a3660375d577c1268

SHA1
f327da397a3d114fad2475f64b51e1e693fd530a

SHA256
285a02250a0f492bb619bc5d1d167df48c22401209702e54a4b34f580cdd55cf

SHA512
8397d4909881314f8ebc78f974edc7dfc8a3973b19e10aedde7fcdda411247bcb57ed75e36937fbb73a8939ff37aae5f8210bd3dc47cd63039a091c989f0c6ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5f8e7cf55dd346424c9d0db130981522

SHA1
cb92e2da67785b47b56e9b5f47c29c7986828a6c

SHA256
6abd22bf07d970e928c9103a0c275a5ac3d459e952c0978d8037751bf3452203

SHA512
cbd88f40780a9cdc9b94e999f59b078bf8dd2626dbeb6e9d1fbb00831704a724a218a2f933780a858893dd44a74603042066f9acf5bd05903f0ca2797c059c8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5d2683dc6aaa17558c7e338debec000c

SHA1
39f5fbb4978ee0242c2d349e8dbffdbcf6d77246

SHA256
124e02c0a432ceab819ae2de02a6c6f2b60577d224f21c782e0e3f2484d52c58

SHA512
e019554b73718521ca0ab0fc4ee2e25c0334dd9e8c64ee3d986ec478875dfb0dc88079833aa0bafaddf806c1d89817c51f66480a66165a2cf431f503e26fd4b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
415500b99b8fdb5e59ac0e1d734a6525

SHA1
80b14e2df49883d2dcc5edf99d461832abe18a53

SHA256
f6e254fe8e858a2fade78e7889db2c27b073799473307d04afc17238dfc454d7

SHA512
f7dbe25512a4697d1eb6eb22b5435b2dac62670493e608002271531ef526d9f300657e532d72c39c3b635dd49af53a8d4dd0ba124e1021bf2785e1de3d5387c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4202.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4370.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit