5acf40c28e3a379bb1175d587785e3f46d8c5e334428c4f19d5c09093b7b0bb2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
Size

264KB
MD5

638d7b28db4faf93feade63c448defd6
SHA1

55df792d0e211a16f72adec6c6132846f6d4d9ea
SHA256

5acf40c28e3a379bb1175d587785e3f46d8c5e334428c4f19d5c09093b7b0bb2
SHA512

e5fd966bc4af20f0ec1b15696df5f53cc1ba9a5cd513ce01ab0a0f26403abf81f3d0e9f0b1a8ac21773f9d51ce276259ec93e0c9c7f2932deb0d48f527dcfa3a
SSDEEP

6144:hmBAzkkQkxLQh51HIs+7lo9JUfWO7yRUmh23C:qAzkkQ4QW9lgUfvuRUmA

Score

7^/10

discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2472	mscorsvw.exe
2868	mscorsvw.exe
2656	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-0-0x0000000001000000-0x000000000109A000-memory.dmp	upx
behavioral1/files/0x00010000000050f4-10.dat	upx
behavioral1/memory/2472-11-0x0000000010000000-0x0000000010070000-memory.dmp	upx
behavioral1/memory/2868-22-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/files/0x000100000000ecb0-21.dat	upx
behavioral1/memory/2472-24-0x0000000010000000-0x0000000010070000-memory.dmp	upx
behavioral1/files/0x00010000000103d5-41.dat	upx
behavioral1/memory/2656-42-0x000000002E000000-0x000000002E086000-memory.dmp	upx
behavioral1/files/0x0005000000019622-56.dat	upx
behavioral1/files/0x00010000000095dd-63.dat	upx
behavioral1/files/0x00010000000115c9-65.dat	upx
behavioral1/files/0x000100000000955f-66.dat	upx
behavioral1/files/0x001500000000f7f5-80.dat	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3450744190-3404161390-554719085-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3450744190-3404161390-554719085-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\L:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\V:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\U:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\Z:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\G:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\K:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\M:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\P:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\R:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\T:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\H:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\O:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\X:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\S:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\N:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\W:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\I:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\Q:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\J:	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened (read-only)	\??\X:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{450357AA-A08C-478C-A19D-03AAA51176F8}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{450357AA-A08C-478C-A19D-03AAA51176F8}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE
2656	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2420	638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2656	OSE.EXE

C:\Users\Admin\AppData\Local\Temp\638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\638d7b28db4faf93feade63c448defd6_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
7ffeb68eb174c10b3f48898548a2f2a0

SHA1
6a02857cd6c936fe1566969450996e8d2d6af707

SHA256
9f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269

SHA512
3a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
81c19480abd4ea36763852ec1ee742d4

SHA1
5b9469f27c40c96d6a74de59ed6c4eafcaa1a08a

SHA256
bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd

SHA512
3b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
ccbe84c9e68c6f9269a9e8f344b2b268

SHA1
5ec6de35046543e061a7813d45679c9dcb7ffa31

SHA256
14760932dc9736a5ee0a461ed4785e9b26a16b1f4192464bf16f09cca49f86b1

SHA512
0468e84c3f6000a07a04b6f63adb744170edd610b716210ca8f2a032c5545ec6b286d849e9536e81374f7d3fb8d6e76c731de866c87df584c7d8d11149a70ff0

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
b1d2ed747521f46003ce81db6010899b

SHA1
46953f90aaa0db3fa544b0b8360be7f9b1e42209

SHA256
034f93fa79b824d07e625cd7274ddcfa0e0394c4acf7fe2e39857d3209a78301

SHA512
c14f80124c9a4db90dab9aab76b5fea4c0f75e8fdbc1c26615942dac2ddd1d39f881e2cb6cceb1b5c1fd651d8c12c265dce95071ca4f492a88ecc4b177908549

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
32d9bf7b4144a0ba91fae5af0d27e40d

SHA1
907a17061ed4349c3ec92dea39dcf96fce47c481

SHA256
9f01ce560ed9b72d8ec5a3405dc7c9516b4644d8066464398ba848a7251b536a

SHA512
e4281310da94902b5b0d2dcf2e09e86ed61672c032415f773fca247c449fe3b47a674078ca578def0f6b8ade9ae728f764c8b142316e35df95067743ab45683a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
f48fccad6b03b71c69f9ee32b07cf7ca

SHA1
e70e67c97d0546cf0e5a8a8a6b04c3ef28ad88ce

SHA256
e89f60820959675edfcc0fad0853269014d34ad6f0e876bb9dc4f0d30a47c359

SHA512
fd2e75e2845ef156853528512503c5fa8366fd8856dbc68fe82724236a8695b371ab1509b6031a3c3f65c068bda813fe3002ee6c4a0c4924491357fcbd29ff02

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
23e9f1c36f2133861d7de68c272afe73

SHA1
376280c702805b9f90c118fe1fd5fdc8445dc925

SHA256
d9121faeaa0d7ba3cb0a3b6db8ad5318d6b44ce2124231938b8ab5f9bb2d4916

SHA512
6bf3f4d7ae8dfb64f4d9b52eeec95bce81baf172e33a8ca31d88a25bc8aa263dade973b0ba2b9fb3ba20b581bc5a15fdee7d21fc86691f89bc8a08ac23acf723

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
4d9efe5ed9b01fb4227c824872ba7ba1

SHA1
049f1f1d48d58e262974d7286ae5d6fc0d5dc267

SHA256
7ebbfda1ca3f57a1f1ef0e426a19399397a5fceded3cc0d9bab6687e168918bf

SHA512
58bddf7283d291ea81f42cc3774165ec572410e19429508b03a1d9a86d6d130b05de0c8d8a5ddee7aecc74319edd6ce75a8dcf3400eab6c98aec2dd1dfe2c5a9

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
8d91d3624cab9b598965d560836814ac

SHA1
fbf9ce22bf53e51e5f27232cab81b3fb76237b6e

SHA256
09096d1e21a81b4f5699287ecbd575d559fa4e37ad93c0802da6c0f7ead5bcdd

SHA512
249dde889c63c10b9ca141146810e1ad02d9c4176b9b5c124c953cc5961118f4ad092e6751639a47ebb714ced50d85ca9636649e55172bb91e4217d74daca4c9

Download Submit
memory/2420-0-0x0000000001000000-0x000000000109A000-memory.dmp

Filesize
616KB

Download
memory/2472-24-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2472-11-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2656-42-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2868-22-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download