29af67dcd18f256e50337aab8f1ec1b6a62b0e455aefcbb3f48e1e8531a605ac

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Size

324KB
MD5

ab7097964d089e14d31be680156d7abb
SHA1

4d895c64144498b0a0427398b6be3d91f1edd152
SHA256

29af67dcd18f256e50337aab8f1ec1b6a62b0e455aefcbb3f48e1e8531a605ac
SHA512

55e7c46ac9c98458754ef9a4d797b500954560a7eaceba3a42063367a078ae0ec2ff3091a6524fbf97987cc260f3e0b7425333dee3265ebbc3f447005a60f2c6
SSDEEP

6144:ZcN9GQKvPKlyfptBr6XSmNNpvtTdIKLKW/noR07K08RHw6Rm:ZcNdKnKlyx7yHF5dB/nF7HtK

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2136	ctxmon.exe

Loads dropped DLL 1 IoCs

pid	Process
2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yazzz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctxmon.exe"	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\atitool = "C:\\Users\\Admin\\AppData\\Roaming\\pwrwin.exe"	ctxmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\atitool = "C:\\Users\\Admin\\AppData\\Roaming\\pwrwin.exe"	ctxmon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\migwiz\migwiz.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SearchIndexer.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\TpmInit.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\autoconv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dccw.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lodctr.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InfDefaultInstall.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntkrnlpa.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SecEdit.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SndVol.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bthudtask.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chkdsk.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dnscacheugc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ntprint.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SetIEInstalledDate.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\choice.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\efsui.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\poqexec.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\setup16.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\takeown.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cipher.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mspaint.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regini.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drvinst.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LocationNotifications.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedt32.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\logman.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\auditpol.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmdkey.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\icardagt.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\charmap.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eventcreate.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\user.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PushPrinterConnections.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SearchProtocolHost.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\isoburn.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ktmutil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OptionalFeatures.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\perfhost.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\raserver.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\calc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\convert.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IME\shared\IMCCPHR.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RMActivate.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wusa.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcad32.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WinMgmt.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winrs.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DisplaySwitch.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMig.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mountvol.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismHost.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sort.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WPDShextAutoplay.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-directshow-dvdupgrd_31bf3856ad364e35_6.1.7600.16385_none_7d9cbcec3df8da86\dvdupgrd.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8\fsutil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ocsetup_31bf3856ad364e35_6.1.7601.17514_none_41a3376575e751b4\ocsetup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7600.16385_none_61573ee0c2c4be2b\wecutil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ca00459dda59f6f4\netiougc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_aspnet_regbrowsers_b03f5f7f11d50a3a_6.1.7600.16385_none_ddef5417d55eb944\aspnet_regbrowsers.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..e-managed-regmceapp_31bf3856ad364e35_6.1.7600.16385_none_b13a0967547ecab4\RegisterMCEApp.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\MigAutoPlay.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\newdev.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..policy-cmdlinetools_31bf3856ad364e35_6.1.7600.16385_none_3b3f55233d47d4f2\gpupdate.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_d527b0a5438b8346\drvinst.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..resentationsettings_31bf3856ad364e35_6.1.7601.17514_none_cb4d60191a09a7b0\PresentationSettings.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\posix.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\notepad.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-srdelayed_31bf3856ad364e35_6.1.7600.16385_none_b252497a75d8a174\srdelayed.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7601.17514_none_be8bab32249b2a4e\RegSvcs.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40\colorcpl.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-nfs-admincmdtools_31bf3856ad364e35_6.1.7601.17514_none_12d42225a9a7aef7\rpcinfo.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-prompt_31bf3856ad364e35_6.1.7600.16385_none_4c045ec8fda52d34\fveprompt.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tscon.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_6.1.7601.17514_none_2d1a84c49beb2055\wiaacmgr.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\attrib.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..ommand-line-utility_31bf3856ad364e35_6.1.7600.16385_none_a1802b822e2a878c\WMIC.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\ehrec.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winre-recoverytools_31bf3856ad364e35_6.1.7601.17514_none_d7553e5fcf6b6373\ReAgentc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_632ae4bc5d173763\tracerpt.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191\verclsid.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\write.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\FXSUNATD.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..eoptionalcomponents_31bf3856ad364e35_8.0.7601.17514_none_7a9a2f07e4e23a48\ConfigureIEOptionalComponents.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\resmon.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7601.17514_none_1457169844ae9574\msinfo32.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-forfiles_31bf3856ad364e35_6.1.7600.16385_none_54f9c5c33edc5fbb\forfiles.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7600.16385_none_b55b5e1094b0283d\certutil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrs.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\inficon.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-pdm-configuration_31bf3856ad364e35_11.2.9600.16428_none_32a601ad2b7a554f\PDMSetup.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_fa2fc39ab7937a51\perfmon.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-checkers_31bf3856ad364e35_6.1.7601.17514_none_d467c138cbce0b24\chkrzm.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..c-journalnotewriter_31bf3856ad364e35_6.1.7600.16385_none_9e59e11166b683d3\PDIALOG.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnscacheugc.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\ehome\ehtray.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_44b0c76c35d4b76d\wab.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-displayswitch_31bf3856ad364e35_6.1.7600.16385_none_48b6a2a03e2c7b21\DisplaySwitch.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_2d02b12c3d47a517\sidebar.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\user.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-regini_31bf3856ad364e35_6.1.7600.16385_none_0c2c92921b2478ef\regini.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnetwk.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-tzutil_31bf3856ad364e35_6.1.7601.17514_none_9cbe849a4e275c84\tzutil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_afdaac81905bf900\explorer.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-gc-registeriepkeys_31bf3856ad364e35_11.2.9600.16428_none_0a3fe92b38dd8c45\RegisterIEPKEYs.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wab-app_31bf3856ad364e35_6.1.7601.17514_none_a0cf62efee3228a3\wabmig.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..temcompareutilities_31bf3856ad364e35_6.1.7600.16385_none_5cbb962a4f0d58c1\comp.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2136	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2136	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2136	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2136	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2860	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2860	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2860	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2860	2524	ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab7097964d089e14d31be680156d7abb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
  C:\Users\Admin\AppData\Local\Temp\ctxmon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2136
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ctxmon.exe

Filesize
115KB

MD5
b41dd2240b072ec09744353fc20b7f83

SHA1
33ffb4d4d4cb3e38b674d71abef6e9946b0cf9a8

SHA256
2b8614f538c2d60ff88db94992fd42f938e444d0074308f8a02f3e7d7e38c3d3

SHA512
8fcc0366f7ea38b474205a6f9e1a0e7ca41dfc16be59e5c06b72eed32b83fb1936bbe1a2b9d77231dcff06d615347e51e9d0e7ec3f8fad31f42d1b4829adedd1

Download Submit
C:\Users\Admin\AppData\Roaming\pwrwin.exe

Filesize
256KB

MD5
f947e3091e6fd5dd4ac3b27d2d059a2f

SHA1
d2ba2b948dacebb0b856c865c3f71b7042f623ea

SHA256
75fd086efc1396950367e4ac4c214552b3ab285d846b68dfaf6e59a5828859e8

SHA512
95a5272e2a372db4fc5d786a83730d38b434a0b870dae423f6db62093326d250983a184a38b7ca62dba77423b7cb38534eb8ce74c15a2497d8208242de21fd14

Download Submit
memory/2524-0-0x0000000001000000-0x0000000001053000-memory.dmp

Filesize
332KB

Download
memory/2524-2-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download
memory/2524-9-0x0000000001000000-0x0000000001053000-memory.dmp

Filesize
332KB

Download
memory/2524-11-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download
memory/2524-12-0x0000000001019000-0x000000000101B000-memory.dmp

Filesize
8KB

Download
memory/2524-10-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download
memory/2524-14-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download
memory/2524-15-0x00000000004E0000-0x0000000000515000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads