89d9737c7ac59672fd6b103d39fc0ba08a1077496758401e88fabc29baee9253

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
Size

184KB
MD5

b7f1cc7f4b863115adf96e6d4e8acef1
SHA1

263f6475177fdce713846d732cd225113374ec32
SHA256

89d9737c7ac59672fd6b103d39fc0ba08a1077496758401e88fabc29baee9253
SHA512

d8cd989af8b80ad8d1929fad9a5da1053da9947d219db3b0a3602397cde048825a79ef4d3618e6b3b87270d63745d16621bc82ca85b615fdf4b9ea8629fe2099
SSDEEP

3072:hQ4DTiTdU5+bbIg35hsQubK2izo8iDDGETdp1r0ghriYzkeM6h+AG4A1cByVhHgS:u4DTNWphkDdfHimzQVtgbxDkt

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2924	mscorsvw.exe
2724	mscorsvw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\Y:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\G:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\H:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\M:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\P:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\V:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\E:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\K:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\O:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\R:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\S:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\U:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\W:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\J:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\L:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\Q:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\Z:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\I:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\N:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened (read-only)	\??\X:	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\dllhost.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\svchost.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A7EB63D-3CED-4368-83CC-8DC3F9B3E65C}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	C:\Windows\LnkStub.dat	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2A7EB63D-3CED-4368-83CC-8DC3F9B3E65C}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2096	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2096	b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
Token: SeRestorePrivilege	1688	msiexec.exe
Token: SeTakeOwnershipPrivilege	1688	msiexec.exe
Token: SeSecurityPrivilege	1688	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7f1cc7f4b863115adf96e6d4e8acef1_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:1872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
300KB

MD5
6ef9f0512b227f6f63626f72a354f058

SHA1
75b720e67d1a455c2d4827b67be3e187990656d5

SHA256
3a5c429a37ef856a2973db1ebd1c93009adfc1e4c1db61e1de7337811c33f111

SHA512
9402ddf3ecbc684978cda0c4df6477c5367e72e065f75c74010b77fec6bec48e3fc7eb7e413d274a3776e667549ff3706c4bf3e72799b10f8ce4dadfc68700f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
219KB

MD5
7a49296de3a2443394070362dcec690b

SHA1
4df14bac00e28b6552877fbb7327b4cadcc87606

SHA256
5e8c5a55618176ad0f8de26c436525ab315b5764a936f06d1876427006b87383

SHA512
10cc5c71b070167c389b99e3c455e906b92fe1cbc1367b89ac0a7142b66e1736261e08635904e7167461edd4101b85f1d885b83727df97442fa31e0bc3d9d80d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
b88e8ffe436d9ee4ae0f6fe877866ee8

SHA1
da05939c4624f8a367a8b0b7f7b527eca705170b

SHA256
2182e17e8d175f4ec9b836ecebfe59ab4d0d594f1422c379877a44922cc4294a

SHA512
35db438f59578052c3e7bfff589e00abeeb0b72ec2b279a32509f883c63da99a09c09bb40067732865f138c8dd9b8692c49e86e42024fb5a5299baf14926c129

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
250KB

MD5
55e1e08bfd98f51ba7d1f65e17c6ee59

SHA1
52b3fb3f0aeb9d86c74432db4dfdd3e9e19e80ca

SHA256
b5f4b429425f526843d4d54babcfcb16ebdfd576dfa729cf830d0672f007e192

SHA512
627b4f6fd769c1ee00bdaffc3e9185b512935fb6d4651fe5c0a5b71899b63f233c37558427e316d602e10962cfe29e1bac1ee1bc00f5a95d6a5b34054da03a5c

Download Submit
memory/2096-2-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/2096-0-0x0000000001000000-0x0000000001073000-memory.dmp

Filesize
460KB

Download
memory/2096-1-0x0000000001002000-0x0000000001003000-memory.dmp

Filesize
4KB

Download
memory/2724-26-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2724-27-0x0000000000402000-0x0000000000403000-memory.dmp

Filesize
4KB

Download
memory/2724-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2924-13-0x0000000010000000-0x000000001007B000-memory.dmp

Filesize
492KB

Download
memory/2924-14-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2924-32-0x0000000010000000-0x000000001007B000-memory.dmp

Filesize
492KB

Download