globeimposter | 2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274

General

Target

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
Size

220KB
MD5

7b65b6bdd6866345d6f9d0e18a0dcbc9
SHA1

fe3fdda918a3db1b17fc48716b574356700d5fc0
SHA256

2c34888b579bfe9598f5ab006346ce318ece71375b4deed4a5baf46aa867f274
SHA512

0e73217400e0763ff6e455f7e6fec40b9bfc849c45d2dfec88e5b4ea7f5f102578a0694d35c1b18993bf8f41a5bcbf09903f5bc9662b08fbcae4f6484a274ef1
SSDEEP

3072:93VrTNNer1tXqjkJ+G0vskV+Rr/wtBMHD4C6S7FSrK3xn9j0J:tV/MvJaL+lItqISxMGxh0

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Renames multiple (9070) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe"	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\Office.UI.Xaml.Uci.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\ui-strings.js	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ApplySticker.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-100.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jscripts\wefgallerywinrt.js	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNoteFilter.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\symbol.ttf	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-256_contrast-black.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-150.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Xml.XDocument.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dc_logo.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.winmd	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jdwp.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.resources.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\ui-strings.js	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfc140u.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\s_empty_folder_state.svg	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-32.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-250.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-200.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\LargeTile.scale-125.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MINSBROAMINGPROXY.DLL	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeAppList.scale-125.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\Read___ME.html	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-200.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\MSASignIn.winmd	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\el\msipc.dll.mui	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-high.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RetailDemoData.json	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

984 4392 WerFault.exe 7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

pid process

4392 7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
4392 7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

pid	pid_target	process	target process
984	4392	WerFault.exe	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

pid	process
4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 4392 wrote to memory of 4520	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 4520	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 4520	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4520 wrote to memory of 4676	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4676	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4676	4520	cmd.exe	reg.exe
PID 4392 wrote to memory of 892	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 892	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4392 wrote to memory of 892	4392	7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe	cmd.exe
PID 4520 wrote to memory of 2584	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 2584	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 2584	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4472	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4472	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4472	4520	cmd.exe	reg.exe
PID 4520 wrote to memory of 4700	4520	cmd.exe	attrib.exe
PID 4520 wrote to memory of 4700	4520	cmd.exe	attrib.exe
PID 4520 wrote to memory of 4700	4520	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4700 attrib.exe

pid	process
4700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp54BD.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\attrib.exe
    attrib Default.rdp -s -h
    3⤵
    - Views/modifies file attributes
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7b65b6bdd6866345d6f9d0e18a0dcbc9_JaffaCakes118.exe > nul
  2⤵
  PID:892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 1088
  2⤵
  - Program crash
  PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4392 -ip 4392
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini

Filesize
1KB

MD5
096c108c0f468a379f9b96a9f3f4681c

SHA1
a8e09d640ca6c8cbe76025c14c632dd336c45a54

SHA256
365d4529c4cc2a59a15a6bd2c290373e06f014957b043b7820b3544e23d22bee

SHA512
84c63ce49384faaf59e3367d2718c34fb5952f2c1bc35676bd7652d1362851d0cbafde5c91749369a33f4f92058187024f9352ba2820a3002cea2a95c7e2e277

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp54BD.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\Read___ME.html

Filesize
4KB

MD5
85e75eb118874d4417da7b91c6c5cb28

SHA1
dec86b6e87f3efd7f6ff3f4a288ec356accd0899

SHA256
4c262db4c4aa78efd44ea211ef32894213e0e2c4953ec75c9f3300bebee3d94f

SHA512
d08155d26befad132d9f856cd9d27cb514817739b96db55280bd55ad0d8d257f0c15da60306bbe754eb716b89dfd8f374bf32b34e6e19c0749215061ef847ce3

Download Submit
memory/4392-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4392-2-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/4392-740-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4392-4866-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/4392-4867-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads