neshta | d72f1acfba1f393e29a4ac30efd9695fb8745e3a0daf79a5576315fe51e320ae

General

Target

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
Size

6.9MB
MD5

3e444cae2920f0c4791ea7784535a81b
SHA1

e98a03b13a139dea0eaa7d27748d117fddcef05c
SHA256

d72f1acfba1f393e29a4ac30efd9695fb8745e3a0daf79a5576315fe51e320ae
SHA512

3a5e68e8722ad2db86d4f1230233653bbfa077f4c7948ac7691e72cb9b4a6eaa76bb5b0925d8d80f48c72e332809cbacbcbd3ef1ab849d042ad4bf7dd5e0fef1
SSDEEP

98304:FlerjesRJ8YQU/e51qXot5nPOY5wAstsFeZ8ocNND5qz5:urj578YQP1qXotFPzKmFeL/z

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\905c0769f9a06c95a24ddf945\patcher.exe$	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\CertEnrollCtrl.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\getmac.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\label.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msinfo32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OposHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\control.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\recover.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bitsadmin.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate_isv.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TokenBrokerCookies.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MuiUnattend.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NETSTAT.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RdpSa.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\setx.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\logagent.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xwizard.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\extrac32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\instnm.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\provlaunch.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmmon32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Register-CimProvider.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\rundll32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\schtasks.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TSTheme.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\verifiergui.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ComputerDefaults.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dtdump.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\prevhost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\quickassist.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gpresult.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Magnify.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dvdplay.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MRINFO.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PATHPING.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\write.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netsh.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\appidtel.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\compact.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cttunesvr.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\iscsicli.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\whoami.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shutdown.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wermgr.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CapturePicker_cw5n1h2txyewy\CapturePicker.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\ParentalControls_cw5n1h2txyewy\WpcUapApp.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\XBox.TCUI.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\OOBENetworkConnectionFlow.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\CameraBarcodeScannerPreview.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Win32WebViewHost_cw5n1h2txyewy\Win32WebViewHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\CallingShellApp.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\FilePicker.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe$	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.AppResolverUX_cw5n1h2txyewy\AppResolverUX.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\ScreenClipping\ScreenClippingHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\XGpuEjectDialog.exe	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

NTFS ADS 1 IoCs

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

pid process

4468 3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

pid	process
4468	3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e444cae2920f0c4791ea7784535a81b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$
Filesize
6.9MB

MD5
3e444cae2920f0c4791ea7784535a81b

SHA1
e98a03b13a139dea0eaa7d27748d117fddcef05c

SHA256
d72f1acfba1f393e29a4ac30efd9695fb8745e3a0daf79a5576315fe51e320ae

SHA512
3a5e68e8722ad2db86d4f1230233653bbfa077f4c7948ac7691e72cb9b4a6eaa76bb5b0925d8d80f48c72e332809cbacbcbd3ef1ab849d042ad4bf7dd5e0fef1

Download Submit
memory/4468-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads