4f6bc0019b51f2fa6eb9ddb83860d35196a34e51db24706a9f8d42c3821ed438

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
Size

33KB
MD5

a51563747130d0795c8f53fe3f12f9ae
SHA1

e930abaf1331f97a497dc7d6088154906541869b
SHA256

4f6bc0019b51f2fa6eb9ddb83860d35196a34e51db24706a9f8d42c3821ed438
SHA512

388747aea615f512fe2102b222b6d1023a9978feeb2b3491db7f140fbf7738b2997792a20e7a7d4309efa84b436b54468c5826d5501d9a447851b538f9d40b97
SSDEEP

768:I0X7HC9hO5RroZJ767395uINnEfDKBbUCp1OTZ+/V:Ici9he+Zk77RNzLiTO

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\J:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\E:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\Z:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\V:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\U:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\T:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\R:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\Y:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\X:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\N:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\H:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\W:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\S:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\P:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\M:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\G:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\Q:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\O:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\K:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened (read-only)	\??\I:	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ru-ru\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\root\vfs\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
File created	C:\Windows\Dll.dll	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3916	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3916	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	84
PID 4532 wrote to memory of 3916	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	84
PID 3916 wrote to memory of 2428	3916	net.exe	86
PID 3916 wrote to memory of 2428	3916	net.exe	86
PID 3916 wrote to memory of 2428	3916	net.exe	86
PID 4532 wrote to memory of 1492	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	90
PID 4532 wrote to memory of 1492	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	90
PID 4532 wrote to memory of 1492	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	90
PID 1492 wrote to memory of 3220	1492	net.exe	92
PID 1492 wrote to memory of 3220	1492	net.exe	92
PID 1492 wrote to memory of 3220	1492	net.exe	92
PID 4532 wrote to memory of 3412	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	56
PID 4532 wrote to memory of 3412	4532	a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a51563747130d0795c8f53fe3f12f9ae_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
31dd0a6e1d579f2c6154cc8c001200da

SHA1
59f80ef5fba7f8ec72cf38c7661966f76ece666c

SHA256
dc987ba880cc21874a898a2f917298f256dca49d30520a25d2f7d47e13436d76

SHA512
6e973421c1bfe82523c9d7dbe53958a07c256b201287e6ec71dc4fffda9ac2ab51c0e6b5bd3a47dbef20355d217d6e36761b8251f7f3b2caab4c0fab8b325c43

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
176KB

MD5
07fab83758b73de8bf239382c9425d89

SHA1
4ecd562daaa3bd4face709eefb61bc1d9e301ca0

SHA256
e15b757e91bdbd4d60f6d3f411c2f50581aaab2d4f29f1228e6d4d6820e9ab4b

SHA512
555158396d4e67a81a9cd6e0beed739cee1983eec0885bbcd98b70c66348376f17a36024e1dac9ef4da498dfef388f87f9667b0ef12b8dab62a4f87a3ed0d02f

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
a5d877ddb05e13f657da9a470f10bd7c

SHA1
0e06863bb66b72b01d0120f89a176a13ffccc6cc

SHA256
5fba16468f3e99ea99a8b3007a6d4a34ddcbedcf757c192f0eaf707297414777

SHA512
aa28dca40bbc144f40dec11b83cbb4ed746f3f74c831318c2eea0d5d4108ed6452485f30ab7f697114e19b48d4b256580042a542ebd65dacacea5e5384f600ed

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\_desktop.ini

Filesize
9B

MD5
36657916738d378a6daf6ec7b690badd

SHA1
e4d3726bd02e1e99b12ada04a242fd6ef7c2843c

SHA256
7cd83d4ff3f3c6844b544fa7790bc1e7ed8bf829627657544861ac726071831c

SHA512
b7878056ad1c2294fb0e659eee6c7861948010b69a43930d8a243f61cebbea83fcd6fb11db19c01f731a925a7a744c6cc4de2eb0ffdc3863acf71e4cc05b2d6b

Download Submit
memory/4532-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-2825-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4532-8848-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download