globeimposter | 054b6a681af4c0b40553f9d90a62c50c836585faa773eb7142bc440c1f397748

General

Target

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
Size

231KB
MD5

bd617bffc723c51d89ce55bc7092b337
SHA1

7fdd7819d9af1a9a8555b375f5cf791bd0591588
SHA256

054b6a681af4c0b40553f9d90a62c50c836585faa773eb7142bc440c1f397748
SHA512

3da25b201c3ed18f2239d157e5d45dab3f541b515aa16ebd87e36e1e41bf425b752242dc37758d86c7e73819afabaae60235105b8ea2767870d3b9b78e83387f
SSDEEP

3072:2FKCy9coaUVdWa9tAFPWOC9lXXcwz53WPUjAGBa4SJ/RCLeWLOqkMq6+z:24FaUOa9tevC9FcAW5V4STC4RMq6+

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Renames multiple (9086) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Roaming\\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe"	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

Drops desktop.ini file(s) 30 IoCs

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageBadgeLogo.scale-100.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\ui-strings.js	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\Read___ME.html	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-96.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DocumentFormat.OpenXml.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-20_altform-unplated_contrast-white.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Transactions.Local.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircleHover.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_Package_Light.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\mso40uiimm.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-256_altform-lightunplated.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-100.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-black.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationProvider.resources.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\Read___ME.html	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-1337824034-2731376981-3755436523-1000-MergedResources-0.pri	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\vcruntime140_app.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\3039_32x32x32.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_WideTile.scale-125.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextDark.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\clrcompression.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-100.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square71x71Logo.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\Read___ME.html	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-200.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\RtmMvrUap.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-96.png	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\TellMeRuntimeImm.dll	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1092 1152 WerFault.exe bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

pid process

1152 bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
1152 bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

pid	pid_target	process	target process
1092	1152	WerFault.exe	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

pid	process
1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1152 wrote to memory of 1716	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 1716	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 1716	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 1924	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 1924	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 1924	1716	cmd.exe	reg.exe
PID 1152 wrote to memory of 3752	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 3752	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 3752	1152	bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe	cmd.exe
PID 1716 wrote to memory of 1828	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 1828	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 1828	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 5104	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 5104	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 5104	1716	cmd.exe	reg.exe
PID 1716 wrote to memory of 456	1716	cmd.exe	attrib.exe
PID 1716 wrote to memory of 456	1716	cmd.exe	attrib.exe
PID 1716 wrote to memory of 456	1716	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

456 attrib.exe

pid	process
456	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp9BA.tmp.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
3⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
3⤵
PID:1828

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
3⤵
PID:5104

C:\Windows\SysWOW64\attrib.exe
attrib Default.rdp -s -h
3⤵
- Views/modifies file attributes
PID:456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe > nul
2⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1096
2⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1152 -ip 1152
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini

Filesize
1KB

MD5
6747a7b5bb929c5c3093fc41badd46df

SHA1
87e721979cffb12853ae07d64727d45202d71672

SHA256
32471985c59977bbcdeeba3ea5f92ef15619f7ae07b4bdd93c43295cd07f5fa5

SHA512
29f9438fe03175a2a262c5a2f462e666e04770435bfb8f4d3151c731e17d6e84019d9bea6e840e45c1f8706a077a54ac5939ea4035504ff6a645139945c6d96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9BA.tmp.bat

Filesize
445B

MD5
32d8f7a3d0c796cee45f64b63c1cca38

SHA1
d58466430a2bba8641bd92c880557379e25b140c

SHA256
1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

SHA512
288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

Download Submit
C:\Users\Public\Videos\Read___ME.html

Filesize
4KB

MD5
a78ded31fdc58c656ab54c3623fd651a

SHA1
0c35b1f69fe8f11f6969d65b9d27882322b66872

SHA256
30362569c336aab0b06602894981d6235996408048ebd60b1007893a931fb167

SHA512
c0062328ee5f0a58e983c186ae4c35b72ef3f8598dbc784c4525e95dadd32bb286d0e773c894bca317cb18b203523dad22f16d85c49726afaabe56ca88c03f14

Download Submit
memory/1152-2-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1152-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1152-1928-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1152-5784-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1152-5783-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/1152-20258-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads