5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Size

166KB
MD5

68f6d84ac9a28c2fea59ff5e04577911
SHA1

4a9875f646c5410f8317191ef2a91f934ce76f57
SHA256

5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5
SHA512

5df07fa0cf7f52f8c76139a55170820136e9131116fd5e102f817ddd7c0c08bb75afc524d876effdfc748d52f58355e082e38230991044e79d02bd3c947f4ab2
SSDEEP

3072:ey0N28mDd+/NEmQhqR1K4mzWPmlIbJrw1ovX:ey0NuM1jXi4kIb13

Score

9^/10

adware collection credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
2504	mgrsrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\I:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\V:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\V:	mgrsrv.exe
File opened (read-only)	\??\U:	mgrsrv.exe
File opened (read-only)	\??\N:	mgrsrv.exe
File opened (read-only)	\??\G:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\O:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\R:	mgrsrv.exe
File opened (read-only)	\??\O:	mgrsrv.exe
File opened (read-only)	\??\L:	mgrsrv.exe
File opened (read-only)	\??\W:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\S:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\L:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Y:	mgrsrv.exe
File opened (read-only)	\??\K:	mgrsrv.exe
File opened (read-only)	\??\E:	mgrsrv.exe
File opened (read-only)	\??\Y:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\X:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\E:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\U:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\P:	mgrsrv.exe
File opened (read-only)	\??\P:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Z:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\T:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Q:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\H:	mgrsrv.exe
File opened (read-only)	\??\R:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\M:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\I:	mgrsrv.exe
File opened (read-only)	\??\G:	mgrsrv.exe
File opened (read-only)	\??\H:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\J:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\W:	mgrsrv.exe
File opened (read-only)	\??\T:	mgrsrv.exe
File opened (read-only)	\??\M:	mgrsrv.exe
File opened (read-only)	\??\N:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Z:	mgrsrv.exe
File opened (read-only)	\??\X:	mgrsrv.exe
File opened (read-only)	\??\S:	mgrsrv.exe
File opened (read-only)	\??\Q:	mgrsrv.exe
File opened (read-only)	\??\J:	mgrsrv.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mgrsrv.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mgrsrv.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cplusb.ocx	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cplusb.ocx	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\monpc.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\monpc.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mgrsrv.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgrsrv.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	mgrsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mgrsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mgrsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	mgrsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mgrsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SerialIID = 5c9eac162fd0b25b7fa81e3b7bc8837e	mgrsrv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mgrsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mgrsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mgrsrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mgrsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	mgrsrv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mgrsrv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mgrsrv.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWOW64\\cplusb.ocx"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	2524	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeDebugPrivilege	2504	mgrsrv.exe
Token: SeChangeNotifyPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe
Token: SeBackupPrivilege	2504	mgrsrv.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30
PID 1808 wrote to memory of 2504	1808	taskeng.exe	30

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:2524

C:\Windows\system32\taskeng.exe
taskeng.exe {DA7E84BB-CFFC-4FE9-98C6-326B170851BD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\mgrsrv.exe
  C:\Windows\SysWOW64\mgrsrv.exe 0zq
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80A5F801}.pol

Filesize
4B

MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\cplusb.ocx

Filesize
3KB

MD5
50a56d98be79a1e6f04a1964e170a5d7

SHA1
8f4138e9588ef329b5cf5bc945dee4ad9fec1dff

SHA256
1005b40f977b92cbc01b7a66558ff0621cbaf36f7b4b2ab2ca3c3a267891bc8d

SHA512
abcb43f5b27912a32f3db16e73b4741c3a35197f11754b5f2d3c21e0a5a55c2326bffdcd03ef4d1cb808440495adc80a99f4269a43b158f3994ecea7997ab2de

Download Submit
C:\Windows\SysWOW64\mgrsrv.exe

Filesize
1.8MB

MD5
da0eec6fdec78c076c9c07caaca3105b

SHA1
0fd60f877f1227b2b2eccb056cb1a7304e28d7e9

SHA256
4b78f1c5869b365cc766dbd48b35bb4c7f18969554840088208f446e2aeeabe3

SHA512
9150a4fe32785eb8cbf93120b03958fa16604aa6170202260b3138147510380c47fd015418ae286d0c9332941d12fa3008817a98427949104000320f60277d39

Download Submit