Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 13:41
Behavioral task
behavioral1
Sample
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe
-
Size
771KB
-
MD5
16345de556130b38be95f6e4d8740121
-
SHA1
0ced1e7bcc96fb116bee7076f8894d18c9115cba
-
SHA256
532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
-
SHA512
b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7
-
SSDEEP
12288:Efbh3edoSdPDze9LBApPsKNoeP313umLcUmyqC+N/jXI0zvvNVR:+R8oYzS12PVaA3LLRHqC+ljXFvzR
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Processes:
winupdate.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 836 winupdate.exe -
Loads dropped DLL 4 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exewinupdate.exepid process 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe 836 winupdate.exe 836 winupdate.exe 836 winupdate.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe" 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process File opened (read-only) \??\O: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\Q: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\R: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\V: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\L: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\J: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\K: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\T: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\Z: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\E: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\N: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\U: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\I: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\H: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\M: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\P: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\S: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\W: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\X: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\Y: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened (read-only) \??\G: 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Drops file in System32 directory 2 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\runouce.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\runouce.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdate.exedescription pid process target process PID 836 set thread context of 2592 836 winupdate.exe iexplore.exe -
Drops file in Program Files directory 64 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\readme.eml 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exewinupdate.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSecurityPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemtimePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeBackupPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeRestorePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeShutdownPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeDebugPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeUndockPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeManageVolumePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeImpersonatePrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 33 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 34 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: 35 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 836 winupdate.exe Token: SeSecurityPrivilege 836 winupdate.exe Token: SeTakeOwnershipPrivilege 836 winupdate.exe Token: SeLoadDriverPrivilege 836 winupdate.exe Token: SeSystemProfilePrivilege 836 winupdate.exe Token: SeSystemtimePrivilege 836 winupdate.exe Token: SeProfSingleProcessPrivilege 836 winupdate.exe Token: SeIncBasePriorityPrivilege 836 winupdate.exe Token: SeCreatePagefilePrivilege 836 winupdate.exe Token: SeBackupPrivilege 836 winupdate.exe Token: SeRestorePrivilege 836 winupdate.exe Token: SeShutdownPrivilege 836 winupdate.exe Token: SeDebugPrivilege 836 winupdate.exe Token: SeSystemEnvironmentPrivilege 836 winupdate.exe Token: SeChangeNotifyPrivilege 836 winupdate.exe Token: SeRemoteShutdownPrivilege 836 winupdate.exe Token: SeUndockPrivilege 836 winupdate.exe Token: SeManageVolumePrivilege 836 winupdate.exe Token: SeImpersonatePrivilege 836 winupdate.exe Token: SeCreateGlobalPrivilege 836 winupdate.exe Token: 33 836 winupdate.exe Token: 34 836 winupdate.exe Token: 35 836 winupdate.exe Token: SeIncreaseQuotaPrivilege 2592 iexplore.exe Token: SeSecurityPrivilege 2592 iexplore.exe Token: SeTakeOwnershipPrivilege 2592 iexplore.exe Token: SeLoadDriverPrivilege 2592 iexplore.exe Token: SeSystemProfilePrivilege 2592 iexplore.exe Token: SeSystemtimePrivilege 2592 iexplore.exe Token: SeProfSingleProcessPrivilege 2592 iexplore.exe Token: SeIncBasePriorityPrivilege 2592 iexplore.exe Token: SeCreatePagefilePrivilege 2592 iexplore.exe Token: SeBackupPrivilege 2592 iexplore.exe Token: SeRestorePrivilege 2592 iexplore.exe Token: SeShutdownPrivilege 2592 iexplore.exe Token: SeDebugPrivilege 2592 iexplore.exe Token: SeSystemEnvironmentPrivilege 2592 iexplore.exe Token: SeChangeNotifyPrivilege 2592 iexplore.exe Token: SeRemoteShutdownPrivilege 2592 iexplore.exe Token: SeUndockPrivilege 2592 iexplore.exe Token: SeManageVolumePrivilege 2592 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2592 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
16345de556130b38be95f6e4d8740121_JaffaCakes118.exe16345de556130b38be95f6e4d8740121_JaffaCakes118.exewinupdate.exedescription pid process target process PID 332 wrote to memory of 2068 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe PID 332 wrote to memory of 2068 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe PID 332 wrote to memory of 2068 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe PID 332 wrote to memory of 2068 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 2068 wrote to memory of 836 2068 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe winupdate.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 836 wrote to memory of 2592 836 winupdate.exe iexplore.exe PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE PID 332 wrote to memory of 1224 332 16345de556130b38be95f6e4d8740121_JaffaCakes118.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16345de556130b38be95f6e4d8740121_JaffaCakes118.exe"3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml
Filesize14KB
MD5f543083e2a5d7ed9840d9a32b0a9d2ce
SHA1a950d39a11603820b53755a4d0ffe36f5db5783f
SHA25653f4c656bf9670eb837912f64fd5641aa96863fc264e7e731c40b8a4472396d8
SHA5125ef3a23e644566ec8eb125ce0e607dda1fa9b4e2d52e92b98d0c252e228a55c004436c0ae4c7254dafa9fb200a83a80dacad280200a7ffd12b0729ba8480709c
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD58156706568e77846b7bfbcc091c6ffeb
SHA1792aa0db64f517520ee8f745bee71152532fe4d2
SHA2565e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8
SHA5128760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD57757fe48a0974cb625e89012c92cc995
SHA1e4684021f14053c3f9526070dc687ff125251162
SHA256c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03
SHA512b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526
-
Filesize
451KB
MD56d5d0522e89e5800841a9751bfa0521a
SHA1ee651d5b2486a338b4de0964a43c8b2a5a8c5966
SHA2560a7822b96ece567633b222d20f1cae5a0569fc28d86c84ece5c61016aa9487a1
SHA51228171b0b04e8a3be2ff7f997c134b652a6a584809a35f2bc2a3293bb31a6a126d03f39831bcfe24705d6d9b0b1754e0c05ccbd339f2cde678923a8e91ab2a9db
-
Filesize
640KB
MD582bc39595f31924c757a45d812beeecd
SHA1fe8d453eb05a87732ac28f62cf31d0c48726dbdf
SHA256a430fd6b58bba1e01fc70d7b579c2826b06357b1bc8692dd416139e17684e0d6
SHA512507fa3db5621aed0514ca9ab4e9e8730989d5580fca10013a6bc884791cf75691d5e40c920a54546b8fe2bca5fafb87aff8f96ecd433ce11d4c2705251914099
-
Filesize
640KB
MD56f7a466db89aa477ee5a513527dad359
SHA1d7ab2985230d654160e8a428a5e729dbbaff47f3
SHA256c25a43fda3d23a570dcc9ebed7cc3101712b9521e2e38b660a621e9dca1c6eee
SHA512c9fc69360c095ade135cc8b6368983c4cabe5790d7211d7d281e38841392cc052df16f9e63af6ae02b55ff6a0abce10bb90b8ee3e317fc326fc8633bc06acdc6
-
Filesize
461KB
MD53406a8cdb7015994b947b5571e0b80ef
SHA1ba9292c82c29968e49624163f146b905a1548952
SHA256b87e5d5566223d96ed5b8dee670cb45311acd1dd85d4d37bbe493946ec50a654
SHA5129e5503f0c2cb5369e47e636d0392f5db6b4bf2b375d0ab2ad94b7ca4a7e4e293e96a9bd6f5b96f51ffe61d4ae614cd1a05707a7570185914d5f8dcd840a5a6b2
-
Filesize
451KB
MD599645b83b2150282dfd642afe26c573b
SHA15a310627f0d411bb57145f35ce48c8b9c57a355e
SHA2564559d8f333f86ce44379f2063de9523307dd107933fe4f22a5258ecda8702830
SHA5126c31fd0d899e54a0700c2331388d61734fc9137e816952c2e5781f21b4e71c0b7f0603e00b736e84868bb54b011b37aa64dd751d2531fc9adffe2e020b2cdb3f
-
Filesize
461KB
MD5f3439478eac0265bbfb6151370c2d051
SHA1e8fb20db05222b6101c8f93f231edb8d5ea872c3
SHA2565ce87e9e191e55fd25d1a7145ff1c123e30574a57b30df048ce20323c23ba476
SHA5121d076ae14a440d280df5c0c7508769e661f06f0ff134bd0caa2c77da6be2f9cda9a20d2c772263c13dd07eae98e0db15385cd756e8d1a07b6a41fb2c042656b1
-
Filesize
152KB
MD52f8ec7065fc6d01c6b9c121268f6179e
SHA165e8919b2b82bc547ea184f17647ad7574ba8ee6
SHA256516b6ee757d32e4931a299ca0a24e7f93b3b75bdd0c8826b39a078508d2502de
SHA512f237d281c4881a1989d71bde9a38a8b43d9e733696c199b9a5573afdd1bf28b60abed5ba074c41cb6e26e3de8256fec130fed4d6534c9491b2d8bea53879d166
-
Filesize
10KB
MD54ba49affda6b270ba410a6aa3156041b
SHA1589bac9796bdf20de8c4506ef8d345862ca96881
SHA256f47fee017927f072cc051e1557135e84f03c62f37c332dcb729648e16ca3abef
SHA5127c5f5fd34470c95e6cc0782de6f2ded30e1f1fde2b6e84d2c12c5da0b384c8514fc2013a0597271cdc9ba02852b9da5d255c60258d3df15cdf44e2937b13582a
-
Filesize
81KB
MD5e791f3e552ad5dad5cc5284177701858
SHA1b1e444a3e21f24da0e696486725246f593f7e477
SHA256c9ab47792cdbe09c2e010dd13920213f5b6264ef40d1eab209dabbda7a283e01
SHA512f6aad713f1bbc388b1691ed02077fefe626f1b43ae5f2bc6cc489bc33e31dfcbc32258d18d79a40ea191adba2a65dc6ea2aed62a83e40877c8bb232394501b69
-
Filesize
771KB
MD516345de556130b38be95f6e4d8740121
SHA10ced1e7bcc96fb116bee7076f8894d18c9115cba
SHA256532eb5e45493e1988bbf041c3db40410abbb456e6199b00d02d141a5b3aeafa7
SHA512b2e05de7dad1792f6a310e9c57c65b1ad3102251ee657f1e57e6fc9ed703fa222363e0ed0c5528c2e92ed364d9091b6dbf3ebb962b4c981cef8ddeb31def2fc7