Analysis
-
max time kernel
149s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 09:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
-
Size
130KB
-
MD5
bb27b1f9c0b075e3d5c4d2f12c78e083
-
SHA1
9185ec5efe66698fc7d04ce0363c10d1d6299506
-
SHA256
c3de4bbd4616d73e6b2796778762c82a68712370707e6a8206065e87c9b2a6ad
-
SHA512
7ef1bc5ea4dba761f6dc80110996569c5801054ed6316830d83dca2020689fd3fd01356111b4967a6e09dc33058fd02fda779fb6d362b8ef4ddb27b491858a3a
-
SSDEEP
3072:3kVD1BSqao9c3HwsanTdgyOxsP+f+wmCDJV:wSqjc3HsTaxoqrmCDJ
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe" bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe" bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\N: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\S: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\V: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\Y: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\I: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\K: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\T: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\X: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\L: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\P: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\Q: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\R: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\E: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\G: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\H: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\J: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\U: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\O: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\W: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened (read-only) \??\Z: bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\runouce.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\runouce.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Windows\SysWOW64\Serverx.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Serverx.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre7\bin\java.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\OutStart.htm bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\readme.eml bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2176 1572 WerFault.exe 31 2212 2176 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2864 wrote to memory of 1544 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 30 PID 2864 wrote to memory of 1544 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 30 PID 2864 wrote to memory of 1544 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 30 PID 2864 wrote to memory of 1544 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 30 PID 1544 wrote to memory of 1572 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 31 PID 1544 wrote to memory of 1572 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 31 PID 1544 wrote to memory of 1572 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 31 PID 1544 wrote to memory of 1572 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 31 PID 1572 wrote to memory of 2176 1572 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 1572 wrote to memory of 2176 1572 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 1572 wrote to memory of 2176 1572 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 1572 wrote to memory of 2176 1572 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2176 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 2864 wrote to memory of 2176 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 1544 wrote to memory of 2176 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 1544 wrote to memory of 2176 1544 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 32 PID 2176 wrote to memory of 2212 2176 WerFault.exe 33 PID 2176 wrote to memory of 2212 2176 WerFault.exe 33 PID 2176 wrote to memory of 2212 2176 WerFault.exe 33 PID 2176 wrote to memory of 2212 2176 WerFault.exe 33 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 2720 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 35 PID 2864 wrote to memory of 2720 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 35 PID 2864 wrote to memory of 2720 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 35 PID 2864 wrote to memory of 2720 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 35 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2720 wrote to memory of 2620 2720 Net.exe 37 PID 2720 wrote to memory of 2620 2720 Net.exe 37 PID 2720 wrote to memory of 2620 2720 Net.exe 37 PID 2720 wrote to memory of 2620 2720 Net.exe 37 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20 PID 2864 wrote to memory of 1160 2864 bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe 20
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1160
-
C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"3⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 1925⤵
- Program crash
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 5246⤵
- Program crash
PID:2212
-
-
-
-
-
C:\Windows\SysWOW64\Net.exeNet Send * My god! Some one killed ChineseHacker-2 Monitor3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 Send * My god! Some one killed ChineseHacker-2 Monitor4⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml
Filesize14KB
MD5ca9ebb14e7f1758827ec8f29f9f03c5d
SHA10f7683bcf5b7a13eb3fce38c7091bd3558060f7f
SHA256514fd6be40073426a9f45177ddfad0e83ec844d6abcce649838b1884714fc5a1
SHA512cf91aff89f61ff281c6f42670c3674acc404b71234301bd09224dbede22a9ed647114e631857a321a61adbff063e6b050b319bef9dab4018060dace26f6edf12
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD58156706568e77846b7bfbcc091c6ffeb
SHA1792aa0db64f517520ee8f745bee71152532fe4d2
SHA2565e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8
SHA5128760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD57757fe48a0974cb625e89012c92cc995
SHA1e4684021f14053c3f9526070dc687ff125251162
SHA256c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03
SHA512b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526
-
Filesize
451KB
MD55c77667da93ada9c8224b36125fae720
SHA13729156b113bb06dd171d864a700ec95e4a5b098
SHA256e676c05c9cfeed8a2d2746cf1af41326f2339a941780e175b76b547a087383d2
SHA51237fadb8e8276baa42e05ad559fb4c5f9fbf94df85a4f868e24a3c4922202069afafed7c858fdd5266aa6ebe402afc7627f37523744bda528bd3cf273f8427e0b
-
Filesize
640KB
MD50c9b52ea6f35ca4babf00044c10ae727
SHA1899f5c709914acd994c642cde4d04fad630b8eb6
SHA256d29aabd91f0aa8a608604d3788bbb5f915b578cb61985a9cd44e3a14e63a3f7a
SHA512f447e5d3c2a659e7aadae7440f93845ae8ce7d2edbbed4cfff4004ab8a24865c250cc03d379e7156fac155b744f669e05cb6214d2401affa686a86de488b2713
-
Filesize
640KB
MD5ce2b03c42da76584df8fb71e3f3aedb8
SHA1b72046524b700d36d4edc1c7456dbdf543224eba
SHA2565d3b98986639d52d0ee15132ff496bf502adaea4067729b1638b547e1fc529e8
SHA5124c680c242046fd914e6159f4c77788fdfd8a5b75e71bda0df39330241c4dacc9dd488675edf8a0a21a7ffd300a7b8980168c1380688350e785b02d07d20a1948
-
Filesize
461KB
MD55ec2fdfd41a1c71a5be693a112d04630
SHA1a834ac70e8327467d637ff18c9e32d5b172d942a
SHA2569d5219a004814cbfcf0def77a79a07d342e97ad4a90bb47d3370c447881f0a5b
SHA512b0fdc7f02c56fcf6e40b1238c06c57a6501a315471a6c56759abeacfce70cea8f81dbe8f75b249e669c11cb921758fcf5ea889c1d9469284af5804894041134e
-
Filesize
451KB
MD51a41054becc69068ec821c9b9be673a0
SHA1cd7a899b5253bed773207720c5e1c5fb317c32e4
SHA256fae3ad60229578bc9127f8ce7531d99ad5a9099fc6ed1779a07ed76c635c96fa
SHA51231164961e45a2e3747dca86db72ce172f69328d7cccc52657db35fab37ae27063d483514f491480d7deff7b2cf0d048f0171fd9e73899f1701dc7ec8eb66dda2
-
Filesize
461KB
MD549a914b9554c00d46a501a66b2e97c65
SHA16ca1a651e48fc419462f7b7dc2b1272def50c99e
SHA256295ad19cb7ba5e639015d9c9e5cb3d329997904e9eef251e51d9d6c3d641ab12
SHA512791c1f68aa703d7664ad68e2a63a4096c1bc2fd1c122dc0e869946960a1d5e8997e3035a4fbc675ecdcb67e165e75971098d34243e1c34e6adcec214a8207787
-
Filesize
152KB
MD58e57b2a878a577c6a7424c580f61c6b8
SHA1473b398710b4f9949bae69fb0ef208b2a1ce2f15
SHA256423635928fca3b76bedf5edad765c6cf5ab30ef4fde342e356d81b5c8bbc37ef
SHA5127b1c71ae2b32d9f7fc3ce6c21af3ca582bd81ee85ef38f017d3bda5202c915ba5eaa73fbd5fb52d3cd8eb32a6c7183b885ada7c979df1c6f470fb15aa956d7ca
-
Filesize
10KB
MD5a3ce2a4c006e9958b1e42b9dc2843a6e
SHA114cf1fb1e5024fc4b01125324af97e861b239f64
SHA256c5b1332fe2d550870d2a0117d05967e8141ad2b1462359e3ee7bb4b193fe73eb
SHA5125e68eeedf0c55e19eebcf4f1a157bd8119c8e3182286426f74042b038e4a2368e69dd8f724f0442d95cce19b5915b1a984696bd2681cc6765e09c977343a7141
-
Filesize
81KB
MD50920d608396bbe6bc38d288686df9d32
SHA18ee6143885f5538ec489151294f022e273514c9e
SHA2562437d813f85c6e46c517ab9ab1703ee5e3605b8953be0cc975c28b043532c1aa
SHA5129d682bc2aec34f2241028821eeefc353d347961298bd24bbc83325056ec78b935dde183f28363807b89d53a3641a7fe367a907cd198e6e66f905857ce623c637