5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Size

166KB
MD5

68f6d84ac9a28c2fea59ff5e04577911
SHA1

4a9875f646c5410f8317191ef2a91f934ce76f57
SHA256

5ef73d904cf5dcbec5919fba0b640168d6feb8f7021507568297e3da1a7e47a5
SHA512

5df07fa0cf7f52f8c76139a55170820136e9131116fd5e102f817ddd7c0c08bb75afc524d876effdfc748d52f58355e082e38230991044e79d02bd3c947f4ab2
SSDEEP

3072:ey0N28mDd+/NEmQhqR1K4mzWPmlIbJrw1ovX:ey0NuM1jXi4kIb13

Score

9^/10

adware collection credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 1 IoCs

pid	Process
1724	mondhcp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\H:	mondhcp.exe
File opened (read-only)	\??\N:	mondhcp.exe
File opened (read-only)	\??\P:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Y:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\X:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\L:	mondhcp.exe
File opened (read-only)	\??\E:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Q:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\P:	mondhcp.exe
File opened (read-only)	\??\J:	mondhcp.exe
File opened (read-only)	\??\I:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\T:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\N:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\O:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\O:	mondhcp.exe
File opened (read-only)	\??\H:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\V:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\U:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\K:	mondhcp.exe
File opened (read-only)	\??\I:	mondhcp.exe
File opened (read-only)	\??\W:	mondhcp.exe
File opened (read-only)	\??\R:	mondhcp.exe
File opened (read-only)	\??\W:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\R:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\J:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\V:	mondhcp.exe
File opened (read-only)	\??\Q:	mondhcp.exe
File opened (read-only)	\??\Z:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\X:	mondhcp.exe
File opened (read-only)	\??\E:	mondhcp.exe
File opened (read-only)	\??\K:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\S:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Y:	mondhcp.exe
File opened (read-only)	\??\G:	mondhcp.exe
File opened (read-only)	\??\U:	mondhcp.exe
File opened (read-only)	\??\T:	mondhcp.exe
File opened (read-only)	\??\S:	mondhcp.exe
File opened (read-only)	\??\M:	mondhcp.exe
File opened (read-only)	\??\M:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\L:	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened (read-only)	\??\Z:	mondhcp.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pcsys.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mondhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mondhcp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mondhcp.exe
File opened for modification	C:\Windows\SysWOW64\dhcpsys.ocx	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mondhcp.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhcpsys.ocx	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcsys.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mondhcp.exe
File opened for modification	C:\Windows\SysWOW64\mondhcp.exe	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mondhcp.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	mondhcp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mondhcp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mondhcp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mondhcp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion	mondhcp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\SerialIID = b9c95af4c9bc9255e6ddf4d1e3dbc504	mondhcp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	mondhcp.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dhcpsys.ocx"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeBackupPrivilege	4716	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
Token: SeDebugPrivilege	1724	mondhcp.exe
Token: SeChangeNotifyPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe
Token: SeBackupPrivilege	1724	mondhcp.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68f6d84ac9a28c2fea59ff5e04577911_JaffaCakes118.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
PID:4716

C:\Windows\SysWOW64\mondhcp.exe
C:\Windows\SysWOW64\mondhcp.exe mdp
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\advsec32.dll

Filesize
3KB

MD5
50a56d98be79a1e6f04a1964e170a5d7

SHA1
8f4138e9588ef329b5cf5bc945dee4ad9fec1dff

SHA256
1005b40f977b92cbc01b7a66558ff0621cbaf36f7b4b2ab2ca3c3a267891bc8d

SHA512
abcb43f5b27912a32f3db16e73b4741c3a35197f11754b5f2d3c21e0a5a55c2326bffdcd03ef4d1cb808440495adc80a99f4269a43b158f3994ecea7997ab2de

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-80BEAA2A80A5F801}.pol

Filesize
4B

MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\mondhcp.exe

Filesize
1.2MB

MD5
22d5f11ee7895e295e344674092d7612

SHA1
fc7e5a7272fbf2a01d2a5f439794413d5c88234a

SHA256
380ef5d92abdf950f81f119a82930852a5b103033a876f5e2c29bad71931ace9

SHA512
0846d12794a60ca2cc8f6d4fe1abc9f9b7cc6cc405e30602abca86735bd2f8911f204d94aa70b85e683f35ab4e6ce46b315c18103affb59ce2d7ec8e891cacfd

Download Submit