c3de4bbd4616d73e6b2796778762c82a68712370707e6a8206065e87c9b2a6ad

Analysis

max time kernel
149s
max time network
95s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 09:19 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Size

130KB
MD5

bb27b1f9c0b075e3d5c4d2f12c78e083
SHA1

9185ec5efe66698fc7d04ce0363c10d1d6299506
SHA256

c3de4bbd4616d73e6b2796778762c82a68712370707e6a8206065e87c9b2a6ad
SHA512

7ef1bc5ea4dba761f6dc80110996569c5801054ed6316830d83dca2020689fd3fd01356111b4967a6e09dc33058fd02fda779fb6d362b8ef4ddb27b491858a3a
SSDEEP

3072:3kVD1BSqao9c3HwsanTdgyOxsP+f+wmCDJV:wSqjc3HsTaxoqrmCDJ

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Serverx = "C:\\Windows\\system32\\Serverx.exe"	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\N:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\S:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\V:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\Y:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\I:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\K:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\T:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\X:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\L:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\P:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\Q:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\R:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\E:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\G:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\H:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\J:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\U:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\O:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\W:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened (read-only)	\??\Z:	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Serverx.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Serverx.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\OutStart.htm	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\readme.eml	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2176	1572	WerFault.exe	31
2212	2176	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1544	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1544	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1544	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	30
PID 2864 wrote to memory of 1544	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	30
PID 1544 wrote to memory of 1572	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	31
PID 1544 wrote to memory of 1572	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	31
PID 1544 wrote to memory of 1572	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	31
PID 1544 wrote to memory of 1572	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	31
PID 1572 wrote to memory of 2176	1572	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2176	1572	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2176	1572	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2176	1572	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2176	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 2864 wrote to memory of 2176	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 1544 wrote to memory of 2176	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 1544 wrote to memory of 2176	1544	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2212	2176	WerFault.exe	33
PID 2176 wrote to memory of 2212	2176	WerFault.exe	33
PID 2176 wrote to memory of 2212	2176	WerFault.exe	33
PID 2176 wrote to memory of 2212	2176	WerFault.exe	33
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 2720	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2720	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2720	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	35
PID 2864 wrote to memory of 2720	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	35
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2720 wrote to memory of 2620	2720	Net.exe	37
PID 2720 wrote to memory of 2620	2720	Net.exe	37
PID 2720 wrote to memory of 2620	2720	Net.exe	37
PID 2720 wrote to memory of 2620	2720	Net.exe	37
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20
PID 2864 wrote to memory of 1160	2864	bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1160
- C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 192
        5⤵
        Program crash
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 524
        6⤵
        Program crash
        
        PID:2212
- - C:\Windows\SysWOW64\Net.exe
    Net Send * My god! Some one killed ChineseHacker-2 Monitor
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 Send * My god! Some one killed ChineseHacker-2 Monitor
      4⤵
      System Location Discovery: System Language Discovery
      PID:2620

Network

DNS

btamail.net.cn

bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

Remote address:

8.8.8.8:53

Request

btamail.net.cn

IN A

Response

No results found

8.8.8.8:53

btamail.net.cn

dns

bb27b1f9c0b075e3d5c4d2f12c78e083_JaffaCakes118.exe

60 B
124 B
1
1

DNS Request

btamail.net.cn

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
ca9ebb14e7f1758827ec8f29f9f03c5d

SHA1
0f7683bcf5b7a13eb3fce38c7091bd3558060f7f

SHA256
514fd6be40073426a9f45177ddfad0e83ec844d6abcce649838b1884714fc5a1

SHA512
cf91aff89f61ff281c6f42670c3674acc404b71234301bd09224dbede22a9ed647114e631857a321a61adbff063e6b050b319bef9dab4018060dace26f6edf12

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
5c77667da93ada9c8224b36125fae720

SHA1
3729156b113bb06dd171d864a700ec95e4a5b098

SHA256
e676c05c9cfeed8a2d2746cf1af41326f2339a941780e175b76b547a087383d2

SHA512
37fadb8e8276baa42e05ad559fb4c5f9fbf94df85a4f868e24a3c4922202069afafed7c858fdd5266aa6ebe402afc7627f37523744bda528bd3cf273f8427e0b

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
0c9b52ea6f35ca4babf00044c10ae727

SHA1
899f5c709914acd994c642cde4d04fad630b8eb6

SHA256
d29aabd91f0aa8a608604d3788bbb5f915b578cb61985a9cd44e3a14e63a3f7a

SHA512
f447e5d3c2a659e7aadae7440f93845ae8ce7d2edbbed4cfff4004ab8a24865c250cc03d379e7156fac155b744f669e05cb6214d2401affa686a86de488b2713

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
ce2b03c42da76584df8fb71e3f3aedb8

SHA1
b72046524b700d36d4edc1c7456dbdf543224eba

SHA256
5d3b98986639d52d0ee15132ff496bf502adaea4067729b1638b547e1fc529e8

SHA512
4c680c242046fd914e6159f4c77788fdfd8a5b75e71bda0df39330241c4dacc9dd488675edf8a0a21a7ffd300a7b8980168c1380688350e785b02d07d20a1948

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
5ec2fdfd41a1c71a5be693a112d04630

SHA1
a834ac70e8327467d637ff18c9e32d5b172d942a

SHA256
9d5219a004814cbfcf0def77a79a07d342e97ad4a90bb47d3370c447881f0a5b

SHA512
b0fdc7f02c56fcf6e40b1238c06c57a6501a315471a6c56759abeacfce70cea8f81dbe8f75b249e669c11cb921758fcf5ea889c1d9469284af5804894041134e

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
1a41054becc69068ec821c9b9be673a0

SHA1
cd7a899b5253bed773207720c5e1c5fb317c32e4

SHA256
fae3ad60229578bc9127f8ce7531d99ad5a9099fc6ed1779a07ed76c635c96fa

SHA512
31164961e45a2e3747dca86db72ce172f69328d7cccc52657db35fab37ae27063d483514f491480d7deff7b2cf0d048f0171fd9e73899f1701dc7ec8eb66dda2

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
49a914b9554c00d46a501a66b2e97c65

SHA1
6ca1a651e48fc419462f7b7dc2b1272def50c99e

SHA256
295ad19cb7ba5e639015d9c9e5cb3d329997904e9eef251e51d9d6c3d641ab12

SHA512
791c1f68aa703d7664ad68e2a63a4096c1bc2fd1c122dc0e869946960a1d5e8997e3035a4fbc675ecdcb67e165e75971098d34243e1c34e6adcec214a8207787

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
8e57b2a878a577c6a7424c580f61c6b8

SHA1
473b398710b4f9949bae69fb0ef208b2a1ce2f15

SHA256
423635928fca3b76bedf5edad765c6cf5ab30ef4fde342e356d81b5c8bbc37ef

SHA512
7b1c71ae2b32d9f7fc3ce6c21af3ca582bd81ee85ef38f017d3bda5202c915ba5eaa73fbd5fb52d3cd8eb32a6c7183b885ada7c979df1c6f470fb15aa956d7ca

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
a3ce2a4c006e9958b1e42b9dc2843a6e

SHA1
14cf1fb1e5024fc4b01125324af97e861b239f64

SHA256
c5b1332fe2d550870d2a0117d05967e8141ad2b1462359e3ee7bb4b193fe73eb

SHA512
5e68eeedf0c55e19eebcf4f1a157bd8119c8e3182286426f74042b038e4a2368e69dd8f724f0442d95cce19b5915b1a984696bd2681cc6765e09c977343a7141

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
0920d608396bbe6bc38d288686df9d32

SHA1
8ee6143885f5538ec489151294f022e273514c9e

SHA256
2437d813f85c6e46c517ab9ab1703ee5e3605b8953be0cc975c28b043532c1aa

SHA512
9d682bc2aec34f2241028821eeefc353d347961298bd24bbc83325056ec78b935dde183f28363807b89d53a3641a7fe367a907cd198e6e66f905857ce623c637

Download Submit
memory/1544-1026-0x00000000000B0000-0x00000000000DA000-memory.dmp

Filesize
168KB

Download
memory/1544-1025-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1544-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1572-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1572-758-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2176-6-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2176-747-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2176-5-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2176-4-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2176-481-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2864-1023-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2864-1024-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.