034fe030f12edbc41527f20a5a29731b833101117973b723e7fb816458ee44ad

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
Size

16.2MB
MD5

145fef85c878f425d4ce9cd0dda21528
SHA1

2dec292c5e93c3284c1b0f14408dd42bfc0167fc
SHA256

034fe030f12edbc41527f20a5a29731b833101117973b723e7fb816458ee44ad
SHA512

d663e3c5db06ba610109e2fed924480f2f130c666fe55be6552ea8a9eb93cc8184ab3de8a10b8ecd41dda26e41905605a44d61e49fd08c079dccc522afdc90c4
SSDEEP

98304:XX77GBfWZ5KYOXwnS4rVQSoYOXwnS4rVt3:vGBfWZJIz8IE

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (746) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rekeywiz.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\format.com_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskmgr.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\where.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sbunattend.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\expand.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\relog.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RunLegacyCPLElevated.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unregmp2.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comp.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\timeout.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\convert.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorAuthn.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesDataExecutionPrevention.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpscript.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdbinst.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\MigSetup.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscript.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmdkey.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskcopy.com	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\syskey.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Bubbles.scr-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctfmon.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logman.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\makecab.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\PostMig.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msiexec.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\mighost.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MRINFO.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpupdate.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logagent.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OptionalFeatures.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\takeown.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DpiScaling.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\MigRegDB.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cttune.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\powercfg.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthudtask.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\klist.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\PopExport.bat	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..atibility-assistant_31bf3856ad364e35_6.1.7600.16385_none_8fbb77bb3cd808d1\pcawrk.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7\ntoskrnl.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehshell_31bf3856ad364e35_6.1.7600.16385_none_95955bd51390781b\ehshell.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eudc-settings_31bf3856ad364e35_6.1.7601.17514_none_b84dc938eed78546\eudcsettings.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_11.2.9600.16428_none_e410f56f6c4ee930\ConfigureIEOptionalComponents.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-spp-ux_31bf3856ad364e35_6.1.7601.17514_none_b9e7a42ab571bbb9\slui.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_8.0.7601.17514_none_4abf71c398c9a7d6\ExtExport.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\IMCCPHR.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmpconfig.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-ux_31bf3856ad364e35_6.1.7600.16385_none_13b9b4b7d327a721\wmpnscfg.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\msil_edmgen_b77a5c561934e089_6.1.7601.17514_none_cddf79f7120d371d\EdmGen.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\ehome\ehprivjob.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lpksetup_31bf3856ad364e35_6.1.7601.17514_none_7f7f66788318015d\lpksetup.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.1.7600.16385_none_17330d9420bf24e8\expand.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\DismHost.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_1cc9274696810e2f\wevtutil.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-prompt_31bf3856ad364e35_6.1.7600.16385_none_4c045ec8fda52d34\fveprompt.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_9edabb9befc6e697\powershell_ise.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-b..onment-dvd-etfsboot_31bf3856ad364e35_6.1.7600.16385_none_82523ed4cbbd035a\etfsboot.com-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_95f92198f65d354d\driverquery.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\ehome\McxTask.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regsql.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c\resmon.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\chcp.com_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz_31bf3856ad364e35_6.1.7600.16385_none_63df9c242588e5fc\rekeywiz.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\iisreset.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.17514_none_04709031736ac277\lsass.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\mount.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sbunattend.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-es-authentication_31bf3856ad364e35_6.1.7600.16385_none_419312c477ec702a\EhStorAuthn.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.1.7601.17514_none_c75e9c99a36a285a\winresume.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\find.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_divacx64.inf_31bf3856ad364e35_6.1.7600.16385_none_cf37cc4c5bc25dc7\ditrace.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-pcwdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_5120bf8b19591afa\pcwrun.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b\ddodiag.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-i..-setieinstalleddate_31bf3856ad364e35_8.0.7600.16385_none_23079f05995ee912\SetIEInstalledDate.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-isoburn_31bf3856ad364e35_6.1.7601.17514_none_4458ac8eafdacbdd\isoburn.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-telnet-server_31bf3856ad364e35_6.1.7600.16385_none_eefcce9868c6d4b7\tlntadmn.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..s-ime-japanese-core_31bf3856ad364e35_6.1.7600.16385_none_cb604f1aa758e6b6\IMJPMGR.EXE-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-edmgen_31bf3856ad364e35_6.1.7601.17514_none_0ca1fd81527e1e9a\EdmGen.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sysinfo_31bf3856ad364e35_6.1.7600.16385_none_4b49a2c2123fd42c\systeminfo.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-driverquery_31bf3856ad364e35_6.1.7600.16385_none_95f92198f65d354d\driverquery.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.1.7601.17514_none_e7fba6c91d7030e3\autofmt.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-findstr_31bf3856ad364e35_6.1.7601.17514_none_2936f54db7f6c08f\findstr.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-at_31bf3856ad364e35_6.1.7600.16385_none_a8f696109d958c5c\at.exe-	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-autochkconfigurator_31bf3856ad364e35_6.1.7600.16385_none_74b76d3fa1757c6f\chkntfs.exe_	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9FFC4A01-0A55-11EF-A0EE-F2EF6E19F123} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000016a44ada0ee438840aeb9e6fec6ff1f1473f3093225365c89b28052c7a5a1554000000000e8000000002000020000000754fc15f008c45ee8fe4f28f2ea94d689ccb35e1a790c20f501386e159eb3e81200000003336d8d7ff1df8757d30e5943ae5a53511730439547f7eb13dbbd947e1d28d6c400000001e677ece398532fa75da2af7fce0418ac9b409aa9fca09cdf6232025254eb48fefc8243d48d388734bf1b905b78bfb93866aa3036d54df77559e3762d550b633	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0221c76629eda01	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000c9dc3cf9d2d8e38a518482fcfcbed24814e60d9cd09b101baa544891f63212dd000000000e8000000002000020000000fed6d588e6d545995fdc53726cc151426827af13de51ed8f46389b41f5d83ce2900000009c4dc6d90b3d57a0a5f260c4dc55fcfcc00146d0f96edab3236221b49bd3c9abb074c7ea701bd6dd4f3b6ae0f7dacf3b05c4fbf593016899ad2edae9036b6a455a291de8f2ee1888a604ae82c941a56bd66f5d6fe6b23d30218447df7f415d369fa57e240f2a53a3c532f540ad4e278e5dccc432ca86f3964b74dbc4720bfda96d891e29edeedf524d000ade51411e04400000004100cb892f085b5d0d606d0e08f84200cc537d1df50aabca08ebced8f4862f2eecd94898f62e0a79be6e8a90c2735506e82e7abf1d55696771868937ed834b47	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421016702"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1636	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1636	IEXPLORE.exe
1636	IEXPLORE.exe
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1636	1680	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe	28
PID 1680 wrote to memory of 1636	1680	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe	28
PID 1680 wrote to memory of 1636	1680	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe	28
PID 1680 wrote to memory of 1636	1680	145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe	28
PID 1636 wrote to memory of 3020	1636	IEXPLORE.exe	29
PID 1636 wrote to memory of 3020	1636	IEXPLORE.exe	29
PID 1636 wrote to memory of 3020	1636	IEXPLORE.exe	29
PID 1636 wrote to memory of 3020	1636	IEXPLORE.exe	29

C:\Users\Admin\AppData\Local\Temp\145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\145fef85c878f425d4ce9cd0dda21528_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1636 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
16.4MB

MD5
210fb0ebf51e43e2ff089435a89fe15d

SHA1
abdd4ec0a1e6d05c0a67d8c119ddafddf49baf6e

SHA256
fe084469271ee2db3c41e1f0e3b382a392ee357a931d96cf36d6b2b780c7653d

SHA512
bc2161955533f7a1c19b9d6ef43e69b39a271f41ba25a2cf7eb26c574759d3560ed0d3e1b324a0e2da4dd486d2c8c2c7ccbf656fbcfe36e1672be46718ac0fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b314f75f6b35bc28af13e49185bc3fd

SHA1
24e90ddf7999dbb1f57db8af0511b6274bb683f7

SHA256
8c204dd7b08389c157f376969d568a67dbf9d9639cfd6541b5bc914aa31e9946

SHA512
34135ea5d9a661f36f437f29ffaa204311b82db8e0fcef72dc66383b731eecc9aae6dc70813cdc4d3904f5969d90b453711c438921c80ba01fa519a1550f579a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5590ac2203bcc5c6b2323fd2871dbb09

SHA1
8dc863166cbf76cf3fba84c66e4ded7b9381fef9

SHA256
239ec53a08743ab79f21697a5d044738e575c8d9e00be1252a7725843a2073e2

SHA512
6c3cfbc3de9dd9cfdacd67b372eb91a26a40fd390ef31843eb752d60755811991c0986066402bac302c0170e38d97a8cd2a1fc60fd5d45b088d257b5245697e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
adc91c858ae37ee62188c2ca3355899d

SHA1
12c6e907243e159b7e6d711550f7d7c7c04b77e9

SHA256
25b58b7e125713da8243233e7dbd529cd9346d1a954fc59ba4cd471a164f4936

SHA512
21228357e8e291356e5b7e05662abecd7c70477503bc58f1296acd800cb2b778f590332ff70bd6a3637344a0761668137bab3a5885dba5ce50085880b4381802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36798093844b86be663c4c4af303091c

SHA1
b8f7ea4c388e7d5c805cfa6ef38fa98f5cfad344

SHA256
42b81a05411fad5b41813dfe91a8ba0b029becbf904ffe3350d87e0b906df608

SHA512
4fc479745ef555f5e4796cf1ebfdcfd65280d388d4de37c78afa08fa648ebca1a77d4e75fee089fbbcc480a359e1b34e1766f62ef4c178ca3ae77ad4e5fa3e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
794539e1947594e24afe2e8ce8d40fb5

SHA1
cf3f301b3b5221252c13e8964da96bb886cf6c34

SHA256
9f4170e798b4c8c968477de5e2c0d7609c7d6a83e954e9500c9d04b114565631

SHA512
353ce7f270c04594765473cce5fec284c8a5732f0b297050ad85ddec550816520ae20c1c21efe65dc4c6146acf3bb199b30815f3119639dd604a69a073eb9715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59ea5d0cc9bb5b9d7bd4c4c7466d01a5

SHA1
26f4304213cf89bfe734a3f5357dfddba291242c

SHA256
a947fb449917fd6a1fc270f422d37d84e508230cab0f88de95a25e4f295140f9

SHA512
950b70b103084b190854802d41f0f0cbe263457f75aef1e0bb167d8888e6e7d2a8d66df4650f86fbef2185e6aebdda20b1951b8724115b11f3b434962f799c9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fb229192c4081e2498c5b18a47151db

SHA1
c186b0810719a013f4aa6e87f3dea0f96bed4cd9

SHA256
6d28c15ae04f6fc4bae58b3c46e0198a7b3c37670d046723fa6864baee918c1c

SHA512
3e1346769c024437663aadd68a1044fa1e63f67fb31ad56a478079ac0a84cfcc23a5cc0ea49e8a33661ef2cf874161c95810bded93b1ef40e90e17071c6732e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcdb5d4244dd19e7cf6450d144fffd19

SHA1
2e1907de183cab8cf8dbe3e78a6221864317568f

SHA256
a11a817466b0b1a62e0b199d2b5d6155dfdc49d5a21dfbbb66f5b739553f40e7

SHA512
151ffba896ff577a017ebbaf73c7e54fbc24b0def1029c857e872627e918359d79a9c073528343a06c507a608890d0d47f1870047a93e273dca7d1cd8aafcc70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d490f4e014e734596df723d93ea04f21

SHA1
2626c73c22129ae27d978a8374aaac5a69f21288

SHA256
323cf8f3c2dc211d0a21295038de944a0efc79c938af6236b14b5abd658b3149

SHA512
ddad36f88995a0a4027c411d72c3e3b00c3b53ca1dd9b6557b02eb642f6f0b9066f6dcc92c580299b8e66cbc255e237bd413b128c478d63067c561ed4688fb0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f4f4f54249902fe1d0c20ded227a433

SHA1
bc1c1ddd1e0c78ac6d6d9e82a78b5c258198d64d

SHA256
1403bbdfd63a573b9f08dcf7b8ec8b91ad2c043121348256564a064302bd2b3d

SHA512
f10853485b726ff66a8b61f589175d67873193140b969924523f80a7e93df594f274d81632e2038b54cd23828a91642349839c8de5ade3b4cabb8b812e1ead16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6acfd75737adab1378b8a9e357116e24

SHA1
e2f4f9f9106ac7421974b96c9da266c4bca1203e

SHA256
180c8602f8ac7557d5337a8035803e2e2727f08e2ed2572c3347369ce121ec17

SHA512
5e5cd04791843a49bb6c70ab8619301e114da54573a3f8f1310fdf4cb502d38b2db7ba506b275d0588598050649f2dbd029214e3715bf57bdd711da2b70b1257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80c89031500a5d9e5ef61ed5087f8d9b

SHA1
e2f2d959f5a7f780357abd860241651a849e75ba

SHA256
77d3c7ff1c7b220446163b4b6a8e5150066bd6062cdb852fffaf125255865758

SHA512
0f64a08c1ceceac668620750aa724a96204f1b097803b1cb1da412a5225b32c2083b52b70490a6d113bcd1e4cacf2e613741d68935e5cb4a0dfdaf7e933f3698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f9cff72a3e0091bdaa9cb9c761bf7e6

SHA1
1e4062ffb06c891c157998d6f7b6250300aa3a9d

SHA256
ab52e481723f2090928299dbebfb44961b2edcec82fdd0d7813dafb62bc194ee

SHA512
cdadbee1b68a550ff56f83e67fe95894f16b4d9e0465ad9147a46ff493f439451952c723f529c90b824910c08c5a09bff65be16ccb3010828020e86dcb1a06ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f199b31fdc3676476d56b38e7089c688

SHA1
17f807e50472ecbc9411e07afc270696205fae8b

SHA256
8b7b0aa146d32cd62953bba9b696d194ae6050e7eaf279a7baf98ce12a2d97f7

SHA512
9220075688e01ad04d7739fad3c0fcc4762c55415c820187e036c0a75be4ef2a86b5a43fb8c7fdb7cc78ea37cc44fe3b61460f136d197cb6a7f862b68380965d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6664b575ed0e23158231a20a3e382442

SHA1
d69216d569b1f5e93f1e965e5c79f6115a9e043a

SHA256
bed3212ef8945f49f4af1d5727de2d48b30b7b46ba238550522625eac3793088

SHA512
6ae9e82f1f7733c68f3333935bb1f95c140b764f2bff0213c4fb7b387e2cf3f8cb3a37876d3073a8119d517501bdb3c6bc016f4ed5e5df2a757d7b28c6b49530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ad0be73a673f1f0a8e665977d07c78b

SHA1
ea86cfec01c424b999de6a73319e47d93292d5da

SHA256
01ef6c9acb208bafa296dedd83d9b482731b9594166399d5d1cefed2462ec790

SHA512
1e0e6c4fa3aa82d5d017161fe5de59918cdb2532a9fe6933b0aca97871360671eeb9fe381bc7a693f67292713b9c3d9b6aba7f9db0e80740abd58578fb3a92cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
429feae0b161d85c70c16f93ac1339b3

SHA1
97df518d20ee3eda68b54f98c3a8eed746f300cc

SHA256
132da5a7b96cc2878357876708e7bee9167735e869023f19db239d8a860c7b5d

SHA512
5a271bdab3942229f2df766e33f1e87d3b43c6dfa7484e575a6e2a9dcfe62259499b3a8b14ef400c4762b5c6ca124c12e37908d28e83776d73a1d6c2330f188e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d7fc84cb54e5ddbefdb023fa034337d

SHA1
128018b9b95a2b60d9b657699de24dded0c59159

SHA256
455f4babc61a10314305155f11b882a7aec437287d808bf43ecc0a85012ee485

SHA512
bc9e63a37b95edfef7a9768c3d60a9d86187ea788274415bc3b7dbdef1b7dfdf1919f0ded6639fb31efe564d98a36b3bb4e0bf117331507c357a446e578f83e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab206F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2150.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads