2279c0b4fafbae6773c124bde2ed0ceb249f8917211b10b45d90db257462d012

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
Size

309KB
MD5

681f4d4923414f8c803c67d39c2808b7
SHA1

1a3eaf39a3678f21454851d549cc8e936a7c2170
SHA256

2279c0b4fafbae6773c124bde2ed0ceb249f8917211b10b45d90db257462d012
SHA512

0a8cab079648f6a02f13f968d158d85a105ca09a6fa457768c822ec45f473b6b2f9919cd372500e1987125ad5d27f7f491f8bc389dbea9c77047f28501aefe81
SSDEEP

6144:HK0N5hVsYqtArnEmOP+5VTAkD3ejNTfVYNNymCnkW3qe:HK4DsNtADE6VTAkD3OCNymCkW3

Score

7^/10

credential_access discovery evasion spyware stealer trojan upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
2928	mscorsvw.exe
1772	mscorsvw.exe
2532	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-0-0x0000000001000000-0x000000000108B000-memory.dmp	upx
behavioral1/files/0x00010000000050f4-82.dat	upx
behavioral1/memory/2928-83-0x0000000010000000-0x0000000010070000-memory.dmp	upx
behavioral1/files/0x000100000000ecb6-93.dat	upx
behavioral1/memory/1772-94-0x0000000000400000-0x0000000000479000-memory.dmp	upx
behavioral1/memory/2928-100-0x0000000010000000-0x0000000010070000-memory.dmp	upx
behavioral1/files/0x0001000000010412-113.dat	upx
behavioral1/memory/2532-114-0x000000002E000000-0x000000002E086000-memory.dmp	upx
behavioral1/files/0x00010000000095dd-204.dat	upx
behavioral1/files/0x00010000000115ca-206.dat	upx
behavioral1/files/0x000500000001a1f1-208.dat	upx
behavioral1/files/0x0002000000010334-237.dat	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2212144002-1172735686-1556890956-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2212144002-1172735686-1556890956-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Public\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\G:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\L:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\T:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\V:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\M:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\R:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\X:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\B:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\I:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\W:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\Y:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\A:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\P:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\J:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\N:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\O:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\S:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\Z:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\H:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\K:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\U:	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\searchindexer.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\groove.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC29216D-06E5-484D-B15C-0550440574C7}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC29216D-06E5-484D-B15C-0550440574C7}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpshare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE
2532	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
Token: SeRestorePrivilege	2176	msiexec.exe
Token: SeTakeOwnershipPrivilege	2176	msiexec.exe
Token: SeSecurityPrivilege	2176	msiexec.exe
Token: SeManageVolumePrivilege	1108	SearchIndexer.exe
Token: 33	1108	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1108	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2532	OSE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3068	SearchProtocolHost.exe
3068	SearchProtocolHost.exe
3068	SearchProtocolHost.exe
3068	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2748	2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2748	2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2748	2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2748	2732	681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe	30
PID 1108 wrote to memory of 3068	1108	SearchIndexer.exe	38
PID 1108 wrote to memory of 3068	1108	SearchIndexer.exe	38
PID 1108 wrote to memory of 3068	1108	SearchIndexer.exe	38
PID 1108 wrote to memory of 1804	1108	SearchIndexer.exe	39
PID 1108 wrote to memory of 1804	1108	SearchIndexer.exe	39
PID 1108 wrote to memory of 1804	1108	SearchIndexer.exe	39
PID 1108 wrote to memory of 2936	1108	SearchIndexer.exe	41
PID 1108 wrote to memory of 2936	1108	SearchIndexer.exe	41
PID 1108 wrote to memory of 2936	1108	SearchIndexer.exe	41

C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Windows Media Player\wmpshare.exe
  "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:1804
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
7ffeb68eb174c10b3f48898548a2f2a0

SHA1
6a02857cd6c936fe1566969450996e8d2d6af707

SHA256
9f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269

SHA512
3a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
81c19480abd4ea36763852ec1ee742d4

SHA1
5b9469f27c40c96d6a74de59ed6c4eafcaa1a08a

SHA256
bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd

SHA512
3b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
a40d7040911f9360acab97ed2fac1b11

SHA1
6a7df4f5e840d0fd7dc65fb9b02690c768b649bd

SHA256
4f5467e4377a52dd76cc724ff665ae8c56e4008bc61590c809b23861428d2bbd

SHA512
c9afd78f2de5ade601f0e7caa5b788041460a3fb636f7d2560291e37cab5d050fc0b1edfa837e9fed4363724f1aa9cb4b09b3d94b4b38592a7d72540796cd0c5

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
d10c27f59dfdc972c4de635687df4614

SHA1
3ebd0ac94d845bca26c36a05e3a70f75561fe3e4

SHA256
71636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65

SHA512
4c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{7A56F667-11B5-41B1-B30E-A0703FAFB277}.jpg

Filesize
22KB

MD5
35e787587cd3fa8ed360036c9fca3df2

SHA1
84c76a25c6fe336f6559c033917a4c327279886d

SHA256
98c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2

SHA512
aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{CE15F2BF-B9D6-4528-A990-1074749AF156}.jpg

Filesize
23KB

MD5
fd5fd28e41676618aac733b243ad54db

SHA1
b2d69ad6a2e22c30ef1806ac4f990790c3b44763

SHA256
a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431

SHA512
4c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VOGNAB2O\mg4_wmp12_30x30_2[1].png

Filesize
1KB

MD5
2fb401b99e4b8728820a2fc6a80e89bb

SHA1
30b7bc0ab429165b797018b85204ccb51cda2689

SHA256
1be5955f420df102cc84e1a7cd470ea81ded6e2a4ac13409dcdd24541522837e

SHA512
414f4762f26e412d983ee29650b01c6f1ce04f48d114fde21e1fb91efcfd142ae24edc8dee3aba6bf22db41cd75c92e78a83bbbeaff707ef42992ed5119d3692

Download Submit
C:\Users\Public\Music\Sample Music\AlbumArt_{5FA05D35-A682-4AF6-96F7-0773E42D4D16}_Large.jpg

Filesize
32KB

MD5
84bba83cfbc0233517407678bb842686

SHA1
1c617de788de380d28c52dc733ad580c3745a1c1

SHA256
6ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9

SHA512
a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
1054794e0d4602da866fc1bd5335fd28

SHA1
09fa7fec96bdc99c8d8060e13a5190a9ac47ecb6

SHA256
bf17cc35978a2ee4fcfed2ff5e1af2807a08072b477300e77c7d276a52a56ca1

SHA512
4038b53e9c9e6656bcba3723e63c4bccf4127323b444c122aaeea05bec18f984f6b87a800c26e0c5f8e07c58134130166665700a3c06bbc0934c239c62d34e03

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
93b8d4f09716b9bd32dab20ae191ba2f

SHA1
ddf7abebaa8cfdf4eb9fa8e2fc18c09994dcf5fd

SHA256
3a946732fee7fba82b3d70e72e68c33ecde18e2b01a615f72a4eee33f736c686

SHA512
9503690bdf43fd363181f204694cf8ce1f7e2533118912f22e6c2d380048c79572ab0a642f95d9af719201d2aaab026249c10ab6b00e5fcfb94179683e6960ee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
824a5ec60bffac62cc319f2ed6e76b6d

SHA1
f85df9a2cdb4598564a51d4e2890bd23bbb16939

SHA256
b3f7bc8acc07ac728477dcce83a1952659f23071f8afd3b14fb3ca6e6f61a67c

SHA512
dc56a03d5f3f04afaf8e9a97d0cee5d1272b3925e529745eeaedd90147cd54df205f8bd5f48939d9411eba7cc8bdfdd8a7665707bf7605407fd2939a762907c2

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
11c558b05e1b6da7abdff816b351bf7c

SHA1
485fcdee3a7cb7a5ddc225dce29ec906c404d120

SHA256
848ae59bc24124c76aac9b3cdce456c4649ad0c59f3c7689130a5b02bdca100c

SHA512
a43e1fe11c21c0f952b5748a5e4cfed413b9f5d8f1be422a71b14f66b4cc4b41f02ea69329438aba53ae8e729ad6ae766ae08af24ccf27f8633e7fb36450936a

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
234f435cd3088121b6c64219ab325ec0

SHA1
65617b0ae173b729579ffa0275d207529a38c6e4

SHA256
915778d156c2cc567f7f07d102406bc92911c6b5cb7d69366c3e783e12628ad2

SHA512
02758a65dae89bf3acf1f5cbe2ab9db4f2afa02fc51e1910de0002c2506927c95bcc24f64778a3f78e25d0cdcac2f73afa0f7589f080448119c7e60f6a60e7db

Download Submit
memory/1108-135-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1108-119-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/1108-158-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1108-164-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/1108-170-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1108-172-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1108-181-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/1772-94-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2532-114-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2732-0-0x0000000001000000-0x000000000108B000-memory.dmp

Filesize
556KB

Download
memory/2732-215-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2732-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2928-100-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2928-83-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download