4b3fdbea7f0d31a72a9a016ba42c8e4f7a45484659b1b8bddb5765195070de76

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
Size

12.6MB
MD5

07be732792dc8e1c4f2d60b9b6264f2b
SHA1

03c053554b3618ee7db2eb6ce4cdc01b7a043d7b
SHA256

4b3fdbea7f0d31a72a9a016ba42c8e4f7a45484659b1b8bddb5765195070de76
SHA512

0a5f0474224b0fd0baa2856d1583ef3ef5b19aa1b8947e6b4933f9a9de4c710abeed21489d8e2114fb85b8aa70364acf9885efe18edd69ad7471aa9a4a8f599d
SSDEEP

24576:XdayHQeN/7DSBfWhVEKKYJkwrsrIZmDyDoJJJJJJJUm/x2ROf1IegqutJQ5FeQzd:XYgph7GBfWbYcMh2RAR5FeA6wAqC19g

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (906) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\reg.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkdsk.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\perfhost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\resmon.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WerFault.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasphone.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autofmt.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssText3d.scr_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winver.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cscript.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskcopy.com-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\resmon.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Robocopy.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdchange.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\findstr.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC10\IMTCPROP.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\relog.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wuapp.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\mighost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netbtugc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\w32tm.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthudtask.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkntfs.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\more.com	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rundll32.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\typeperf.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dfrgui.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runas.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wevtutil.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\clip.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\findstr.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\WinMail.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wab.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\ktab.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\servertool.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\Journal.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_009cfaa696afe78b\comp.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\HOSTNAME.EXE_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_1f2918adb8a9c100\ServiceModelReg.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventcreate_31bf3856ad364e35_6.1.7600.16385_none_d53926c7a0e7716d\eventcreate.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..s-regkeys-component_31bf3856ad364e35_6.1.7601.17514_none_7df14b591094e7ec\TsUsbRedirectionGroupPolicyControl.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPDSVR.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_6.1.7601.17514_none_d71fb1d63f05ef22\WFS.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pnphotplugui_31bf3856ad364e35_6.1.7600.16385_none_44d62330646f757a\DeviceEject.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_8.0.7601.17514_none_1196a9003b674a92\iexplore.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_6e37cb8c12652b73\ntkrnlpa.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_6.1.7601.17514_none_6f4ef219dd693ca6\WPDShextAutoplay.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7600.16385_none_aeb1ef0f4e6bba1d\cscript.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_e7fba6c91d7030e3\autofmt.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-chkdsk_31bf3856ad364e35_6.1.7600.16385_none_c1bcb003ee041301\chkdsk.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_bth.inf_31bf3856ad364e35_6.1.7601.17514_none_d06ac9aad230c1d6\fsquirt.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\relog.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7600.16385_none_0935b76c289e0fd5\PkgMgr.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-telnet-client_31bf3856ad364e35_6.1.7600.16385_none_1426830c3ebb712d\telnet.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\ServiceModelReg.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ropertiesprotection_31bf3856ad364e35_6.1.7600.16385_none_bfa748753634ba48\SystemPropertiesProtection.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-spp_31bf3856ad364e35_6.1.7601.17514_none_78875ce737927d27\sppsvc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_6.1.7601.17514_none_d9bafd47cdf9833b\WinSAT.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wordpad_31bf3856ad364e35_6.1.7601.17514_none_963528f4b7e5d0fd\wordpad.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcspad_31bf3856ad364e35_6.1.7600.16385_none_bd8c328b84ea0fba\mcspad.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_9757fd443892abe7\inetinfo.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-proquota_31bf3856ad364e35_6.1.7601.17514_none_85ecfd46a904b22a\proquota.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcglidhost_31bf3856ad364e35_6.1.7600.16385_none_05a2b72417ec1c6a\mcGlidHost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_8.0.7601.17514_none_a0c922c3b170dd5d\RegisterIEPKEYs.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-taskhost_31bf3856ad364e35_6.1.7601.18010_none_86608c5a70f925bc\taskhost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf_31bf3856ad364e35_6.1.7600.16385_none_cf37cc4c5bc25dc7\ditrace.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dfsvc.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-c..mplus-admin-comrepl_31bf3856ad364e35_6.1.7600.16385_none_45fe6fe8a9201e55\comrepl.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_6.1.7601.17514_none_d71fb1d63f05ef22\FXSCOVER.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17514_none_ca56670fcac29ca9\ntoskrnl.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\ehome\ehprivjob.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_90ecf919657dacf4\NETSTAT.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-atbroker_31bf3856ad364e35_6.1.7600.16385_none_cf7705f47fa8cd65\AtBroker.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_6.1.7600.16385_none_02aa6dd4294b8d5f\shutdown.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\CISVC.EXE-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netplwiz-exe_31bf3856ad364e35_6.1.7600.16385_none_494ba66d2a12efc3\Netplwiz.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-bth-user_31bf3856ad364e35_6.1.7601.17514_none_cd93efad202e5fb6\bthudtask.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-commandlinehelp_31bf3856ad364e35_6.1.7600.16385_none_3020274b22e8a90f\help.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-calc_31bf3856ad364e35_6.1.7601.17514_none_abc56b2678fe1108\calc.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_c0aa8bc2de239cf9\wevtutil.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\wbadmin.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.7600.16385_none_7f263a8951bc5a48\SetIEInstalledDate.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-eventcreate_31bf3856ad364e35_6.1.7600.16385_none_d53926c7a0e7716d\eventcreate.exe-	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_5aaf419e398215df\mighost.exe_	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000945a08364f2513bda73ac127daa422b106639243190ba04c256020a4765274aa000000000e80000000020000200000005e32973a9565cbee6fa8508c7002260eee77935c73f1ea005d029ecebfac174720000000c2efdd5eb72a02f319c22c1a72833615401e69f514b56d595a95583fecb23dac40000000964b04d910bec792f025e79159e151c158e0f38995a3aa9089b8a6b56ac5d84b1af7e27905fcde98912dfe0bcde284f619a522de355b18e2224dd8a616b405be	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420558256"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0dc010f379ada01	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000f3a9bd4639bf979972df41a014639a1482c1a772087d9dda52188a0ca4c7c87d000000000e8000000002000020000000ab83c3d0a7fc15101405ee44e4088d623b539c219f36a30d60343dce9681e28890000000019b57be873c1f9053155538d494d84c0569884f14a3e980f4a968da8cf381260a582078f898f23e12dbd9c10f474cecc307764b217862154c0a6776b8c18198902ff1e69ee649033327372b204e4072ed3cdb5f11245703356ed789f82c2e3c397c8ce5cbf87d815a31decbfca02b43cb2a08c0ea4b520206e58e82fa9c29e605aff4a6b2ef1d5772c83b8c3e49e24c40000000d69016a86bbf3cd09e7f6e73ca39c76963b86b0bd407e1196de200aff9ca978af50f3232a919fb8092c219e2c9617043dcc2f1afaa6590acd44ee3547809b732	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38D41941-062A-11EF-91A4-56D57A935C49} = "0"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	IEXPLORE.exe
2372	IEXPLORE.exe
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE
1252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2372	2936	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2372	2936	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2372	2936	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe	28
PID 2936 wrote to memory of 2372	2936	07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe	28
PID 2372 wrote to memory of 1252	2372	IEXPLORE.exe	29
PID 2372 wrote to memory of 1252	2372	IEXPLORE.exe	29
PID 2372 wrote to memory of 1252	2372	IEXPLORE.exe	29
PID 2372 wrote to memory of 1252	2372	IEXPLORE.exe	29

C:\Users\Admin\AppData\Local\Temp\07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07be732792dc8e1c4f2d60b9b6264f2b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
12.8MB

MD5
d59b7c1a06cd4ae5281262178cfca35d

SHA1
c927838760f1195ef0449553aff147beaa767307

SHA256
6e8ba6e16d3bc466e243f54f207c2abf99a7767c70e84e2a69548ef0f8821979

SHA512
4932e427b085103704388f9e4e21cd0273ddd7cde6244ab1f3c949389e01ad1d44f4687b067f94369d895a3700e34db3b70f473c6f69d2c51df8deee19b8d591

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89fbeb95a0b47398fa741f6991eb3658

SHA1
0c0b7a32d32f0861ad5ef5fa7588d093ceabd8f9

SHA256
f1db86a3d853714a88995cdbe7842507692d3cb39b19250edbf946e8e70aa834

SHA512
cd5fa2d5e9e0d1edb27cf3a1db9261b89714356950b7762f0a192732ba820c71cca2bc4863381515dd63957698212d07489294055a30ba983678baa697e72ce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
184b09d3fb1b4af7413c49ae755c385e

SHA1
475b4ef5320a6a10355d1abb680146f033165eb0

SHA256
75fad41a0347f689a79ad06d94b6569663e12e601807ff6ddb4814c2f9363ca7

SHA512
89e5a11766ddcc02e17121c631426b67a8d0023eea2352fdab91e222c3e7da1c1771162b6ede9992d8a3d0d1d464a01a0f05d1af9b3a89b765e7b30611ba564b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3270e39664fb253a5aac23e0877cb0b

SHA1
ac5af277b7d4817f731d0ce9c129442d4f48e407

SHA256
450dab31eba29a6f1ccf3da620dde667fc7a784431ad185c4d18ee1fba6f3c83

SHA512
0a1f51db42970e6aca1f894253237cbba3b9bbb328b69092acef1eb531b3e9f902881f902653bf634efbc001afb1c26de55ffb6a18e8064e218e7f9b46c95ca5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
276f7fa63647a0836f80aa888e25c0b7

SHA1
c1a6761a407fff1e9be488b6bdd79dbc367ff41a

SHA256
28d1d11fd4a8778142d7baa1f755304095eb183d88563a693d5957e6de808dac

SHA512
778b01c205d4e05dd843ca0e83cd0cb059b02b5381041dc8e4c43f88684bbf7c5a628ad1c6b2e8a4f39c6779a895332f55ac13c16fcd03d97e43aed031a39763

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd248531af17922f5bf15b2cbd564a64

SHA1
3d75694c667c4b73d327cbc21c9c6263a8edd4ef

SHA256
c1bda568b85747818200542f1852a72b414a7b37b040b91653b330ba286b09b7

SHA512
1d50ae98ebcf82722805cfc322037937c187fdfe91d0c611a8bb930b7fa17a42213b66232c4da9136a44703f69ec8e34dce5c0fe46bebba2c5eeb0286d39c8cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59edb3bde00b8af4ab96f23ab182262e

SHA1
d8d5fe3bdaa791d282fa52c6e35482842f5dd593

SHA256
4ccda594adadc8ca30097ffea4ef34ad52a220ee8e050b1de58993c7b39296e2

SHA512
d413b6c902b12e348067fb476c7336a167d56880e38381a9f8c26c05c6d41deb5285ce0fc404a0fa4e5414b4827f5fcb056f0e21bd8c8736c48f2649901d3693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0112c458fd392fdf1290f1ec7cc758de

SHA1
09488c73a61b3a2407d5b184c6aaa3223524d09f

SHA256
b5a6bf7d90ccc688c307f90ae4c413f1cb610452e129e83da0ceaa38b20b67e3

SHA512
e98c28bb181312a61c2dd1507b55b45ef76e3599e9cd34ba3cd07378ba01c5f84ac58ad032498c83b35a52459396f3c8d6d22e125cef51d2a3ba9d1758772f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a8160584a79c2d4aac988d2dc0791a3

SHA1
4b01bed47179e4024412b5395241e83d1b46b86f

SHA256
206c2fa2035823509701b5971aa3b0ffed11edba73f710f03fc41c6fe578f8b7

SHA512
1b8ede3ef1e7492ed60082025c8ef8e5c869c713ad72a0dec1a78002e3d4b5a1aa484866d547a85764a7769ee4e6a2184f815f3bb7f9f8af0d97a126328505cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34b02e176765aa320fb5409880bc5b19

SHA1
6ca0f054cbe9e9944b2875ce86cfd965c29c2ced

SHA256
9b3a78ddfeca0b27ee2bafe945f82fa44988bb2c372a9eea350dff194dd18b5f

SHA512
62efadbb9cfa9faa4e6bf18ebafe9021297139b347c75426830cf09e516b3da63da88be96bd405af78d30a10776fd47db7b5e309a7b080779ff9d3be6b6553b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f5b16bb84c1ee7ef43b695167c9e2c5

SHA1
d5b72bebf2d1af0a503437eadbf03fb0ecfd1cf5

SHA256
e24b3c2e56059b01065eaf6584924d92dc6e84648df854ef37c620f545b29cdf

SHA512
7946d03b8fd83fbb9bcba51e33dcc9833ddb8b936beae64b727577d6227f2356adac2c2fdb8563a3947c85145cee3087d194d523d9e4d92d3e2d1dacc6e74390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a12917d6a223b8a81e1ee45cc91f7390

SHA1
345f2738fa7d521867dc4643030f95511dcf7faf

SHA256
8a2d3b568bbb12318d28d44816b80eb34f3f242973d38e98e0aa640486996894

SHA512
1525e8a9e9efc4f76e9a9fdc9772f37cb12beaa0759e8b7a771d41c5473df69d0227760a1e93541a52311c1d38b2faa27b45a0f693dd13254d8b5f4591852239

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
baeace7bfae9728cf2885d08478c92df

SHA1
595ef1f5f0368ff4feb1ca90d901370fad700cc1

SHA256
e1101f9a4dca13b9636b19f7bdbc7e3277504cca34a4aeb20718b928e6e186c6

SHA512
da7cd6987fb11d0f0090d407f637b6b043dd7b9ffdb031d4d10cc992ca61f833cba0dd99d584895a144aa619c15a495c591d6c41f40e54baa0722c0901e90104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
303caa07340657b69469fa6277d2a850

SHA1
76ff1818afd2521428c3fbc754ea9585f8799779

SHA256
574483bd2f66735f02529b3a7de8b14f0808a53932f4b9587d48b9fc6264a4e5

SHA512
a92e88871e47b5012a9cf176258809f2d92263e2e82de0b644341ea577d1466a68fb1866eb257aefe31dd79f0c8444d4116c274d7319f980a2a266ffe571f945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5ca03435c2818745a29249819175079

SHA1
5353cbe3f180693d7bfd3ad698a35a9169764ab2

SHA256
c720a5ec312ead7de069d4939e865d3d06676822e9082001d4bda44a589ef0bf

SHA512
580b6bdbed39a6d1d3cf4b45f4de325248dcb47aba89dda52b20496ae16e05eba0f273445c13326cfb3d682f2b4a1a76f0e9134d6cb804ad08c469c96885de63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d14674255445af625aef0968cd41fee

SHA1
a6f34571acfc05a64d8b73a58b9a0814b98e3523

SHA256
348efa7a0bed9fd137468aa0a838d208fdb528c02888b6146061005a4fe3b175

SHA512
5d89fc677e86e2f183d4018c5f9ed2685aad656246bf92bf216804e6dca01786b49bf1341485cecb6c4a41023cc467ddc736064a5d1746cf7c6a833d38abf1d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd133faed4b7982602ae6fe51959a9f7

SHA1
e1d877e414935b0613fc7cd519927dc0f94fc6fb

SHA256
373c671d6185164bca9f3dfdca21c30d82215ed93085a5f146e9d2b014225d83

SHA512
475c8bc6b38b2a658614800f9e1d6957e7a265b8a2f25a770417e0ad88d89f30f6de35de5c6c8d5e59f0f3135ce7dc2e10d7f447d0d31fc595f2bc90b2e774ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c34c2a7833c9360da5a5004931b9950a

SHA1
ccd2de13e1c5103913de1c597dcd19d15169583e

SHA256
194bd5a95bea25a9dc15a2910e4a7609c08e0bce135b262abde10767eba88475

SHA512
9ea9a2b154c6f00fcc0cd4052ad7d17892a27eb2134de276202fb1fb86a0a236cd755849146a246f294dac75b0d0574ef8a66192d441dcaf446e64d22c5ac427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55c401cd42aec2b0279eb71c617874e5

SHA1
abefb51805d566719ae57ba69a083e14c44da666

SHA256
fc9cbc6b9d05c916fd700fbf4fea5b53e3bb83904eac936f83292fd1417b3865

SHA512
39b9325e436d030235c099ef45cf9c9f55274f28fffe48bd99f1a2efd0f3dee568407008e6fc252f68e17b9e1339c73c7a01e29ea08eab6081e7219b7597ef12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
061b46cd7661d3ab4cd5fd7d980db113

SHA1
bb9cf8c952482cd0448eb1e83f4fd166fe3cb766

SHA256
4b2b4bc63eecfedbeaa0608a071f7ec06e98c48a48c00294b46a43c6eef90bb4

SHA512
4f817c22cd53c14979f61743398cabc5dc57cf14c3534d42192864853c9cb391ce72c3bfefb76a9173ffe059a010fcd3bac9b72344ae753b45aa9aa66cc1cdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab369D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar378E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads