da0e9949633cfd2894625c9f1c648f87c7bab530ae0db53c59a02d93fc9a9e18

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
Size

373KB
MD5

3add78d02edf27ab7f616b4825a94715
SHA1

f728119ed96528f00ffc05c1b29dbf7fd86e140f
SHA256

da0e9949633cfd2894625c9f1c648f87c7bab530ae0db53c59a02d93fc9a9e18
SHA512

b46baf7b845388c1f72c2c66df4e5c8499af97d00f5900914c15694538509a9a6ea32fb259b4477ecf7fc2298a57b19915276af444e538bcd7254e9c1d66f692
SSDEEP

6144:8Agw1CkuzRUioXf0YLXRYHx3JpNe4Muvfz0daKS+ccYu:8muzRUXvQ2qfIdu3c

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\Q:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\S:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\U:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\V:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\W:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\H:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\O:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\R:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\T:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\M:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\N:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\X:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\Y:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\Z:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\G:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\I:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\J:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\K:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\P:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened (read-only)	\??\E:	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\readme.eml	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2728	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2728	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2728	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2728	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	30
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21
PID 2156 wrote to memory of 1164	2156	3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3add78d02edf27ab7f616b4825a94715_JaffaCakes118.exe"
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
b1607df15988a60064e6feb0d98f2d42

SHA1
7b791c4e4bd220a6488e0428b915d05588968ed9

SHA256
166f3378915eee3538f678e0ac5fd8727c6537a7915c80ea30b8308b6e66e193

SHA512
c9e1570e3c3b77f16f05f8622000ae240fd8fc1a46547a7bc538862b0e901af450ebe2fcb7acffbbbd46e6eff4b9fa4f747b01d34ebc148b1730c2b882a78f8f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
a10d9e3087d386fb3b50425945ea3d7c

SHA1
6d21fbd537f4b7440388f62f9450f8f557cd3bf4

SHA256
8cdda5b7c5acbe5426754ebd17dbb30b8514bcf545651795942dcb230a574b7c

SHA512
00b681b60578ae25cb1ae881ba6c79b7824893bac1fd3c263dc42316f5baa1edbb3a6b41c8bdad083af559b5ac183cc33f477296f0b4831f053ea31f73ba37ea

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
3e7b378beaebf16b8864e531e03a5692

SHA1
5499595d6264207d19ad34da653fb2eefbf56cd0

SHA256
b6c9425b18dfc65d90006a9c490ff8d0f1fafd87c6dd165238f6fb7df4b269fb

SHA512
2092090751e5ba4e6965a206a815a21c9d6ab21fa33fb955329036049ad13bdc3247163e01723525da1f889daf727c65c96247f97c2eeb59788aea56f17d1890

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
4f9964b2b841d7b76f0a45fae06b5048

SHA1
6930d06ded2e60875200b2765f7d0b9b8cbf159f

SHA256
f3a87f9c9c043367981bdbd28388f6463f6cd2b1ceebeebd5354c5b80e58004f

SHA512
984d32812450bec227ad83c187ed8e043a67868c3b943e11b489b1ad0178a0a6408f4720e576b5a17528ba695c1259f46dff8947b4dc88a78fbbcf3d4ce4b210

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
50c80955d8add5dffc949f9dfbb22503

SHA1
d895e2ac5297bc4548c8cb3e15a1386871a85131

SHA256
4b832094bc56f83e253cb7bc27d94b0102fa6b22609a334fbe2bc18a93413850

SHA512
27ae9622a53ed1a229e202c6cdc13f2e22cb1654b7a5892e7bf58ce817c6a9eb2b0c2e08a3cbb6f2754a0c36b56bc5742ffdd786c10948cfdddbe4bf4eafd330

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
36838ee4f1fccbb1b8fc19ad54da3e8f

SHA1
f5570431ae884bdc3e466faa3ed0142e6d946b61

SHA256
3f0de342903ffc0af6c2a2f2443bbbf4e4af76793b02d6b4fa014dc2e1fb1633

SHA512
84a37be1640b3f77d7e27d2f09139ab013d4484c8b235c12d432c4b811ac9277237cc8986a6087b348ce2469e1a34d596246d749b4aefed06fcbc5f21dfdab3b

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
3e61263b973cb1439fef174e38a18db2

SHA1
d2a4522a88f3a209983b058525f35dea3b741cff

SHA256
25dc5639c64445b1540679e8f6948e9754845ae47f5f681c4af32b92c9ac3f0f

SHA512
f553966b8339f9fea18978016572ab757debf18ec85c0235ef57ea2377475e9fc8f8d0374d1b4668a75137f1082effd10d5ebbf19ac138fedce113e88cc4c8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
f3d4a3f98136c8dfe3b0e04456c53731

SHA1
ba033fe44caa7b793bc286a22ae47dda1e1880eb

SHA256
8e7dd5cf54d3746c089dec5498787dd58cf1ea6d3b64c8ccfa4c98edb2119415

SHA512
daa67bae994174a4d5ce4aaabba1dd59c9c738c0049917296917b31358e99e3d37cc6b053001916943075e0c4d8fc7bac14612688b7561a1c1f2f1c128a61f15

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
27118e0f6c9ed09c4f906db3851608c9

SHA1
82a8c20f41142d3f294de0cf24dcee6257d96779

SHA256
c9908a853b1f0b812c5da4ee6b2e6781fd7b88bd4544322d4d5944609c00da3c

SHA512
06ecc662d292d1358de70cdf4e191f0e65b28375c115da4f2288bdf4fd8a81e9b92366aa090a144abca8631108b23b5cd9de5feda27842e964d6818991d09b77

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
0920d608396bbe6bc38d288686df9d32

SHA1
8ee6143885f5538ec489151294f022e273514c9e

SHA256
2437d813f85c6e46c517ab9ab1703ee5e3605b8953be0cc975c28b043532c1aa

SHA512
9d682bc2aec34f2241028821eeefc353d347961298bd24bbc83325056ec78b935dde183f28363807b89d53a3641a7fe367a907cd198e6e66f905857ce623c637

Download Submit
memory/1164-5-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1164-6-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2156-659-0x00000000002B0000-0x0000000000318000-memory.dmp

Filesize
416KB

Download
memory/2156-475-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-654-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-963-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-854-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-1008-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-1012-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-1014-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2156-1035-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2728-3-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2728-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads