Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/07/2024, 15:23
Behavioral task
behavioral1
Sample
681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe
-
Size
309KB
-
MD5
681f4d4923414f8c803c67d39c2808b7
-
SHA1
1a3eaf39a3678f21454851d549cc8e936a7c2170
-
SHA256
2279c0b4fafbae6773c124bde2ed0ceb249f8917211b10b45d90db257462d012
-
SHA512
0a8cab079648f6a02f13f968d158d85a105ca09a6fa457768c822ec45f473b6b2f9919cd372500e1987125ad5d27f7f491f8bc389dbea9c77047f28501aefe81
-
SSDEEP
6144:HK0N5hVsYqtArnEmOP+5VTAkD3ejNTfVYNNymCnkW3qe:HK4DsNtADE6VTAkD3OCNymCkW3
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\International\Geo\Nation 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2928 mscorsvw.exe 1772 mscorsvw.exe 2532 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2732-0-0x0000000001000000-0x000000000108B000-memory.dmp upx behavioral1/files/0x00010000000050f4-82.dat upx behavioral1/memory/2928-83-0x0000000010000000-0x0000000010070000-memory.dmp upx behavioral1/files/0x000100000000ecb6-93.dat upx behavioral1/memory/1772-94-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/2928-100-0x0000000010000000-0x0000000010070000-memory.dmp upx behavioral1/files/0x0001000000010412-113.dat upx behavioral1/memory/2532-114-0x000000002E000000-0x000000002E086000-memory.dmp upx behavioral1/files/0x00010000000095dd-204.dat upx behavioral1/files/0x00010000000115ca-206.dat upx behavioral1/files/0x000500000001a1f1-208.dat upx behavioral1/files/0x0002000000010334-237.dat upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2212144002-1172735686-1556890956-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-2212144002-1172735686-1556890956-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Admin\Music\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Public\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Public\Music\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Users\Public\Videos\desktop.ini 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\G: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\L: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\T: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\V: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\U: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\M: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\R: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\X: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\B: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\I: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\W: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\Y: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\A: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\Q: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\P: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\J: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\N: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\O: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\S: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\Z: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\H: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\K: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\U: 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\Y: OSE.EXE -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\dllhost.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\alg.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File created \??\c:\windows\SysWOW64\svchost.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\dllhost.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msdtc.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File created \??\c:\windows\SysWOW64\searchindexer.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created \??\c:\program files (x86)\microsoft office\office14\groove.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created C:\Program Files\7-Zip\Uninstall.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe OSE.EXE File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC29216D-06E5-484D-B15C-0550440574C7}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FC29216D-06E5-484D-B15C-0550440574C7}.crmlog dllhost.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehrecvr.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehsched.exe 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmpshare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}" 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE 2532 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe Token: SeRestorePrivilege 2176 msiexec.exe Token: SeTakeOwnershipPrivilege 2176 msiexec.exe Token: SeSecurityPrivilege 2176 msiexec.exe Token: SeManageVolumePrivilege 1108 SearchIndexer.exe Token: 33 1108 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 1108 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2532 OSE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3068 SearchProtocolHost.exe 3068 SearchProtocolHost.exe 3068 SearchProtocolHost.exe 3068 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2748 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2748 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2748 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe 30 PID 2732 wrote to memory of 2748 2732 681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe 30 PID 1108 wrote to memory of 3068 1108 SearchIndexer.exe 38 PID 1108 wrote to memory of 3068 1108 SearchIndexer.exe 38 PID 1108 wrote to memory of 3068 1108 SearchIndexer.exe 38 PID 1108 wrote to memory of 1804 1108 SearchIndexer.exe 39 PID 1108 wrote to memory of 1804 1108 SearchIndexer.exe 39 PID 1108 wrote to memory of 1804 1108 SearchIndexer.exe 39 PID 1108 wrote to memory of 2936 1108 SearchIndexer.exe 41 PID 1108 wrote to memory of 2936 1108 SearchIndexer.exe 41 PID 1108 wrote to memory of 2936 1108 SearchIndexer.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\681f4d4923414f8c803c67d39c2808b7_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Program Files (x86)\Windows Media Player\wmpshare.exe"C:\Program Files (x86)\Windows Media Player\wmpshare.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2928
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:1772
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:920
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-2212144002-1172735686-1556890956-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:3068
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:1804
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:2936
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD57ffeb68eb174c10b3f48898548a2f2a0
SHA16a02857cd6c936fe1566969450996e8d2d6af707
SHA2569f120500f86cd50bcfefd660dd2ddd192b7ec6909ec6d910978ed0b7c2d53269
SHA5123a7ee1ab3addb35746241579ab3713520900c8cc3d852532ae26c252b0821351158a0f2b97c8b37197351935c1e284b627912f675fffd0c8c8e5eee30a41627c
-
Filesize
1.2MB
MD581c19480abd4ea36763852ec1ee742d4
SHA15b9469f27c40c96d6a74de59ed6c4eafcaa1a08a
SHA256bdfe435ad5d00e55ea05332e2de62bd2aafc8bab6ec8925dbc0036226db700cd
SHA5123b71d6dc9d0f8c5d652b75db80078fee37c5e6b71cf1ad744b1b38c4ed553681ad50e6e6aaee8570cfef7c0b831e85b5156b44cb6c3f6d0a79c2ed1a7d1cbe58
-
Filesize
284KB
MD5a40d7040911f9360acab97ed2fac1b11
SHA16a7df4f5e840d0fd7dc65fb9b02690c768b649bd
SHA2564f5467e4377a52dd76cc724ff665ae8c56e4008bc61590c809b23861428d2bbd
SHA512c9afd78f2de5ade601f0e7caa5b788041460a3fb636f7d2560291e37cab5d050fc0b1edfa837e9fed4363724f1aa9cb4b09b3d94b4b38592a7d72540796cd0c5
-
Filesize
1024KB
MD5d10c27f59dfdc972c4de635687df4614
SHA13ebd0ac94d845bca26c36a05e3a70f75561fe3e4
SHA25671636872ba48e12fbf90eec49168337910ef98ad0ee00cda106f2904c83f8f65
SHA5124c649ed28619302cbad9f1a2455bd4f2970b05f59740d642c4691f073df9e195bd6fcbcda107ffe7ad7b095bcff68c1882744e86fb374c4224f804850010bf4c
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{7A56F667-11B5-41B1-B30E-A0703FAFB277}.jpg
Filesize22KB
MD535e787587cd3fa8ed360036c9fca3df2
SHA184c76a25c6fe336f6559c033917a4c327279886d
SHA25698c49a68ee578e10947209ebc17c0ad188ed39c7d0c91a2b505f317259c0c9b2
SHA512aeec3eed5a52670f4cc35935005bb04bb435964a1975e489b8e101adfbce278142fd1a6c475860b7ccb414afe5e24613361a66d92f457937de9b21a7a112e1f9
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\{CE15F2BF-B9D6-4528-A990-1074749AF156}.jpg
Filesize23KB
MD5fd5fd28e41676618aac733b243ad54db
SHA1b2d69ad6a2e22c30ef1806ac4f990790c3b44763
SHA256a26544648ef8ceffad6c789a3677031be3c515918627d7c8f8e0587d3033c431
SHA5124c32623796679be7066b719f231d08d24341784ecfd5d6461e8140379f5b394216e446865df56e05b5f1e36962c9d34d2b5041275366aeabcd606f4536217fe4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VOGNAB2O\mg4_wmp12_30x30_2[1].png
Filesize1KB
MD52fb401b99e4b8728820a2fc6a80e89bb
SHA130b7bc0ab429165b797018b85204ccb51cda2689
SHA2561be5955f420df102cc84e1a7cd470ea81ded6e2a4ac13409dcdd24541522837e
SHA512414f4762f26e412d983ee29650b01c6f1ce04f48d114fde21e1fb91efcfd142ae24edc8dee3aba6bf22db41cd75c92e78a83bbbeaff707ef42992ed5119d3692
-
Filesize
32KB
MD584bba83cfbc0233517407678bb842686
SHA11c617de788de380d28c52dc733ad580c3745a1c1
SHA2566ecf98adb3cd0931ec803f3a56a9563c7d60bb86ec1886b21e3d0f7eb25198d9
SHA512a6a80c00a28c43c1c427018e6fb6dac4682d299d2f50202f520af0b1bca803546c850f04094ed2f532ff8775f6d45f2a40e4f5e069937bcaa0326a80bd818e0e
-
Filesize
203KB
MD51054794e0d4602da866fc1bd5335fd28
SHA109fa7fec96bdc99c8d8060e13a5190a9ac47ecb6
SHA256bf17cc35978a2ee4fcfed2ff5e1af2807a08072b477300e77c7d276a52a56ca1
SHA5124038b53e9c9e6656bcba3723e63c4bccf4127323b444c122aaeea05bec18f984f6b87a800c26e0c5f8e07c58134130166665700a3c06bbc0934c239c62d34e03
-
Filesize
1003KB
MD593b8d4f09716b9bd32dab20ae191ba2f
SHA1ddf7abebaa8cfdf4eb9fa8e2fc18c09994dcf5fd
SHA2563a946732fee7fba82b3d70e72e68c33ecde18e2b01a615f72a4eee33f736c686
SHA5129503690bdf43fd363181f204694cf8ce1f7e2533118912f22e6c2d380048c79572ab0a642f95d9af719201d2aaab026249c10ab6b00e5fcfb94179683e6960ee
-
Filesize
234KB
MD5824a5ec60bffac62cc319f2ed6e76b6d
SHA1f85df9a2cdb4598564a51d4e2890bd23bbb16939
SHA256b3f7bc8acc07ac728477dcce83a1952659f23071f8afd3b14fb3ca6e6f61a67c
SHA512dc56a03d5f3f04afaf8e9a97d0cee5d1272b3925e529745eeaedd90147cd54df205f8bd5f48939d9411eba7cc8bdfdd8a7665707bf7605407fd2939a762907c2
-
Filesize
29.7MB
MD511c558b05e1b6da7abdff816b351bf7c
SHA1485fcdee3a7cb7a5ddc225dce29ec906c404d120
SHA256848ae59bc24124c76aac9b3cdce456c4649ad0c59f3c7689130a5b02bdca100c
SHA512a43e1fe11c21c0f952b5748a5e4cfed413b9f5d8f1be422a71b14f66b4cc4b41f02ea69329438aba53ae8e729ad6ae766ae08af24ccf27f8633e7fb36450936a
-
Filesize
164KB
MD5234f435cd3088121b6c64219ab325ec0
SHA165617b0ae173b729579ffa0275d207529a38c6e4
SHA256915778d156c2cc567f7f07d102406bc92911c6b5cb7d69366c3e783e12628ad2
SHA51202758a65dae89bf3acf1f5cbe2ab9db4f2afa02fc51e1910de0002c2506927c95bcc24f64778a3f78e25d0cdcac2f73afa0f7589f080448119c7e60f6a60e7db