agenttesla | 3b52e2715d15a2e959d559fe820e7f71ddf1307f1bf4a52da683097a759ef319

Analysis

max time kernel
136s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Size

1.7MB
MD5

cb4fab4e71dd1b69d127da402f1fc6e0
SHA1

cafdcc17f25f5c3be6bf78f87741708d553ff3c8
SHA256

3b52e2715d15a2e959d559fe820e7f71ddf1307f1bf4a52da683097a759ef319
SHA512

eb679dd222d56bf39f2d22d5be259283c43d6492eaf8f07f4d8332e572ee4a9702e9aa459d083c6a461eb90a3a218f04b2521857eb24493e2bc84de2833f88c9
SSDEEP

24576:BLXXgOM61tPSgPCGoQqS5haQnI/C+wH7cT:BLN1tPS/GoZS82H7i

Score

10^/10

agenttesla nanocore neshta collection credential_access defense_evasion discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

blackhill.ddns.net:54984

185.125.205.75:54984

Mutex

c7192853-3ef1-495d-8d9e-aa7345c98e7f

Attributes

activate_away_mode
true
backup_connection_host
185.125.205.75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-28T15:08:16.000917836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Lord
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c7192853-3ef1-495d-8d9e-aa7345c98e7f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
blackhill.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Neshta payload 12 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010317-11.dat	family_neshta
behavioral1/memory/2416-86-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2416-90-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0008000000016d07-91.dat	family_neshta
behavioral1/memory/2276-97-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2540-106-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1132-116-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1332-129-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2052-195-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1052-618-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2304-635-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2888-682-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

AgentTesla payload 20 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d21-128.dat	family_agenttesla
behavioral1/memory/2060-142-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-144-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-146-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-149-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-148-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-153-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-168-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-151-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-170-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-167-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-165-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-162-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-161-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-159-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-157-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-156-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-155-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-154-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2060-152-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 16 IoCs

pid	Process
1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2276	svchost.com
2540	svchost.com
1132	svchost.com
1332	svchost.com
1320	raworigin.exe
2016	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
1824	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2052	svchost.com
1548	adobe.exe.exe
1052	svchost.com
2304	svchost.com
2888	svchost.com
2936	adobe.exe.exe
2884	adobe.exe.exe

Loads dropped DLL 11 IoCs

pid	Process
2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
1616	cmd.exe
1616	cmd.exe
1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2052	svchost.com
1052	svchost.com
2304	svchost.com
2888	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	raworigin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	raworigin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	raworigin.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	adobe.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	adobe.exe.exe
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	adobe.exe.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyApp\\MyApp.exe"	raworigin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyApp\\MyApp.exe"	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyApp\\MyApp.exe"	adobe.exe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	adobe.exe.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	checkip.amazonaws.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 set thread context of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1548 set thread context of 2936	1548	adobe.exe.exe	65
PID 1548 set thread context of 2884	1548	adobe.exe.exe	66

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 6 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raworigin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67408121-66F5-11EF-9232-D6CBE06212A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb780000000002000000000010660000000100002000000026e6c222c692611e484d064d37dcb97aa35ce356dfd1adcb778f493062928a6f000000000e800000000200002000000008939a661d5a25d9652b3da7cb77fc3153f93df4ec78af40301e3a524f58747090000000eb5837066e369b023acb6505f823255e52afa81398bb1331e54f1f00098342e2a1d578ed9d5d13053de0226144909a51c14adc86a4661d749c2f9e984a00650186e4e5938a6e45641ff62557fd792f6e4bfc03dd09bc459d67121e22f3fa3b9ead5621cd375634e1cf01207fda37e341df395928148fb0f79199d8cc9201506d1a2b43952697776060ba1d73496c158340000000a5dc86e9e2fba27a342b4800688ad61d50fb430faef8740aaddd2da5a2b8f51858b5205e28b3a10b7e9b8745c4aa06184805ca27baa85d7165c82b07c7746f90	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10d7d73e02fbda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431200833"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb780000000002000000000010660000000100002000000069c051cf03851f9450acf474f6fed2d2240bc496ad3f8f22bf738bff8487d352000000000e8000000002000020000000769ca7e49d0f22418f0e5226a47ab9a51dc449d353c73ab9ce5b52661c3733b0200000000fd4ffff3bf458f6baeb2c7fdd0085961fef95bc5f6cb78ea3745d91d4b03ea040000000301332e3a1845cafe6911c201a25e0f54353199d10660c10336ef817b783dddc8f11ef04fab987acd957bc13732368032eb3b34925b19e39c9d8f681aafd1e9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe

NTFS ADS 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\MyApp\MyApp.exe\:Zone.Identifier:$DATA	raworigin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1320	raworigin.exe
1320	raworigin.exe
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2884	adobe.exe.exe
2884	adobe.exe.exe
2884	adobe.exe.exe
2936	adobe.exe.exe
2936	adobe.exe.exe
2936	adobe.exe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	adobe.exe.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
2936	adobe.exe.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Token: SeDebugPrivilege	1320	raworigin.exe
Token: SeDebugPrivilege	2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
Token: SeDebugPrivilege	1548	adobe.exe.exe
Token: SeDebugPrivilege	2884	adobe.exe.exe
Token: SeDebugPrivilege	2936	adobe.exe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1320	raworigin.exe
852	iexplore.exe
852	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
2060	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
2936	adobe.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1532	2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1532	2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1532	2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	30
PID 2416 wrote to memory of 1532	2416	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	30
PID 1532 wrote to memory of 2276	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	31
PID 1532 wrote to memory of 2276	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	31
PID 1532 wrote to memory of 2276	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	31
PID 1532 wrote to memory of 2276	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	31
PID 2276 wrote to memory of 1272	2276	svchost.com	32
PID 2276 wrote to memory of 1272	2276	svchost.com	32
PID 2276 wrote to memory of 1272	2276	svchost.com	32
PID 2276 wrote to memory of 1272	2276	svchost.com	32
PID 1532 wrote to memory of 2540	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	34
PID 1532 wrote to memory of 2540	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	34
PID 1532 wrote to memory of 2540	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	34
PID 1532 wrote to memory of 2540	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	34
PID 2540 wrote to memory of 1760	2540	svchost.com	35
PID 2540 wrote to memory of 1760	2540	svchost.com	35
PID 2540 wrote to memory of 1760	2540	svchost.com	35
PID 2540 wrote to memory of 1760	2540	svchost.com	35
PID 1532 wrote to memory of 1132	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	37
PID 1532 wrote to memory of 1132	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	37
PID 1532 wrote to memory of 1132	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	37
PID 1532 wrote to memory of 1132	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	37
PID 1132 wrote to memory of 2928	1132	svchost.com	38
PID 1132 wrote to memory of 2928	1132	svchost.com	38
PID 1132 wrote to memory of 2928	1132	svchost.com	38
PID 1132 wrote to memory of 2928	1132	svchost.com	38
PID 1532 wrote to memory of 1332	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	40
PID 1532 wrote to memory of 1332	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	40
PID 1532 wrote to memory of 1332	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	40
PID 1532 wrote to memory of 1332	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	40
PID 1332 wrote to memory of 1616	1332	svchost.com	41
PID 1332 wrote to memory of 1616	1332	svchost.com	41
PID 1332 wrote to memory of 1616	1332	svchost.com	41
PID 1332 wrote to memory of 1616	1332	svchost.com	41
PID 1616 wrote to memory of 1320	1616	cmd.exe	43
PID 1616 wrote to memory of 1320	1616	cmd.exe	43
PID 1616 wrote to memory of 1320	1616	cmd.exe	43
PID 1616 wrote to memory of 1320	1616	cmd.exe	43
PID 1532 wrote to memory of 2016	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	46
PID 1532 wrote to memory of 2016	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	46
PID 1532 wrote to memory of 2016	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	46
PID 1532 wrote to memory of 2016	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	46
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 2060	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	47
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 1824	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	48
PID 1532 wrote to memory of 2052	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	49
PID 1532 wrote to memory of 2052	1532	cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe	49

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	adobe.exe.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	adobe.exe.exe

C:\Users\Admin\AppData\Local\Temp\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:1272
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:1760
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier
      4⤵
      Subvert Trust Controls: Mark-of-the-Web Bypass
      System Location Discovery: System Language Discovery
      NTFS ADS
      PID:2928
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\raworigin.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c, C:\Users\Admin\AppData\Roaming\raworigin.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Users\Admin\AppData\Roaming\raworigin.exe
        
        C:\Users\Admin\AppData\Roaming\raworigin.exe
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1320
- - C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:852
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1564
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c, C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3040
    - - C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe
        
        C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier
        7⤵
        Subvert Trust Controls: Mark-of-the-Web Bypass
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2000
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe:Zone.Identifier
        7⤵
        Subvert Trust Controls: Mark-of-the-Web Bypass
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:920
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /C type nul > C:\Users\Admin\AppData\Roaming\raworigin.exe:Zone.Identifier
        7⤵
        Subvert Trust Controls: Mark-of-the-Web Bypass
        System Location Discovery: System Language Discovery
        NTFS ADS
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: SetClipboardViewer
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        outlook_office_path
        outlook_win_path
        
        PID:2936
      - C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\adobe.exe.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c35c3a227dd4d804ddb45372cf2be8b4

SHA1
46f02fc0efb99c50166ab0c5fa86307547eb8d9f

SHA256
4885b2e0767146c24fc78d9f6589b92c56ecd0ddc2fe1b95eeb5bf7a13e018aa

SHA512
90a41d3c7a45459b7e14bcbcb6580b2f3b1dc26b50babe8d1ba9a67ee55ccca52a820e104890af893781927024e84b615770fdc13ec723d4dfcd3d43c748e9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b776b0490e32e6fe8e50be7fe9205127

SHA1
007cf9f363ad9f50b885f98354845d58d8c04208

SHA256
1fb913fd4f2369642b4cc0151908b68417df389b036a1a73c183ece6a902a8bc

SHA512
24bdb8441bcdcd14f89e61669fdbfee6a1b0a6cc432db457e9b999bf2d36b3cddaccc6e3bb94a832483513f3f5179affa7f5265f4f959b33633d2ccbb59e8cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c4310d1bd057dbd0cef615120ece6ee

SHA1
e18b485173c8184ca21273523a8fe18f8fa38968

SHA256
0e67b726850797310107b65aed85b9b7085f5df5f417cc0ab9d9e8330f64c3d2

SHA512
e61775539a943c0ddb160c098fe37b72d58f5ee55984ca51b86610dcf02551e2f6d6daa7d6177f9f32810aac21d07ed21394994d93259088039d08ad96795f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16d9abe0fdc2a399dadc318ebdb177ed

SHA1
50f1c8839468cfb192522ec9b24d50dd64aaa2f9

SHA256
81544bfba8d3c8675e5ac23333039bdfbd2c9408455867c0e38ced21c0d0175a

SHA512
753c8a68f1eeb858824276a3fe00c30a77f8e64379fa23bbd2f0d312df4f4d9450d5f43b74e82e4124a6891e97f738954555b4e55cad12a541772feb65c440a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b828c73fec7edb19de26415f75c5220a

SHA1
0c6a20a9b3d8b449e9317d9337c2bfd6969ff055

SHA256
46b40e490d519287df447c286d78913f1497c21fcf41fcb5268d76f41de7eb60

SHA512
f27195ab1117d82fd64a7e4edefa4f0e9b215684fb332e2fa1d183e7484029ac3a395e37048a471a510a1b5137dedeb5832229c25db5470ca1e4f1d4e1281fc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f963b3f490ae10459c6ac2516bcbc02

SHA1
7d4de79114ec96ee457bcce372a3a7a6a479a1fc

SHA256
048f1a71c831e75079496ceed1ea5b4f31bfa8a7ffd5096612e37d3d09e091bd

SHA512
09767b391b63148f6ac0ef47c2f50d03e1d493a3f5d917e90f3be7e120dd52b32a884ba757dcfa0bae37a59aa87777ca88b15407b49849caeb0058ab2cb8b1bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0d0ecb7f428e8994bea61fd2af49635

SHA1
cd35a828a98fc679cc36468e82c509515c393d19

SHA256
ce5fbf069ccdaec51bd8ee15a378e3ad1064746fa6ed42e501f4fcd023126ed6

SHA512
2f1186dbfa37b9aca0fd0968a805487f6df9ff38ea03f35cf213ceba45bac5c0453709d445ba7b228f4c80d3fd04ad49040dc4869bd6fb58873a76aff8bf540d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
736169f51ccf7be5599c1f19d5048aba

SHA1
8d9c1e075d7a6d517cfdd28ea7abcbadb35a9b6a

SHA256
568c287a781c0d8f73c265581d90d0257c013e41a8475161440f30d5a0aa4323

SHA512
1af3dd0618717e3284a5c7c44f04a919f39d04a2311d8f5ca35d74b59e8b79e77738a61d2a48fd646dfa37cc111fff8ee4405c63a85c2e1cf009528234e4beac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a57afa3467a4ec4c26c141e1806086b4

SHA1
19e7356803f42bf2f63601f050398e0c5ec1910a

SHA256
87ba7491077c7b7b976ee146074edc6d744110a196ada44afd534ce00a47bde4

SHA512
cf9426e7a78c456e767fb2ade4eaf9c07b0fd5c63fe7c4c0b6f323077389dcc9c339c9965006848c5128eb285a4e44e0bf42ee5c1398b75a34dc4a98f19b0cfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de0ff1cbad806c29b7c9574a30adc9d0

SHA1
f15a235881bd3e78d33ba063b1730bee624f96d7

SHA256
ff2e17f3d47f6a9f06dc4dcc95a528d1ff3326f1d5158521c6570dd14e4320f8

SHA512
e086c87cf027c67559abe52ea2e66ba027174a560ce35a8715aea58daa44c82cf45bebf366fe931a6adc09fc391ea7351087d17aed79853d0e9d982a5c763dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beca529d57262670eb9de0de4c5f4422

SHA1
d648362e1727e856ceff46f89d904b8c87d9b949

SHA256
3de4aad683c862e09627d25664f7c6e4833c3a71740c4d6486d97a5027db0cfc

SHA512
b7d835823d3a1a3075124f4bc00584d2353e9289ffbdf2943f1f7182f49b1578820d32fe58226a0ec774e9f3f60675481a7964bdb37b58d894af10594f5128f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3594ef14e3f68ff57642ed67d9478fde

SHA1
c921eefa2dc966ca0c8f38f50a455f3245678da2

SHA256
8c130c5c7dc325d07a8fee1325713c79cdc26f18ce3fc2c785fd1dcd7668e668

SHA512
afba655608fbd4b0f2bae7e809e8dae4cc4dc038c9da08e612621b2fb139abd5a9373fb07f736bda112cf5429851fdf095e9098de0bde2117f77a9e076174df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ada2860636bccd23c3182989936bc75c

SHA1
23a304eb01d977ed77062f754a2eb7f858764bb7

SHA256
062c14be86d7163e48eb74dbcfc10481f7ad88278a5c5111d54740f4eb98424c

SHA512
e6e555ddd9e102004822f48d55da0c4c04ed4369429f824983f4e2a36da72ad040671ea51d41746ca34560754a213e0bfc018004430bd35eec12bf0e2174d5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17320c0f857b0aacda31621375110a23

SHA1
56e8f7071492f3baae1499f921637bc5a9f4f0b5

SHA256
08575eacb14112f50dcf9c500e96a6a5d3fd9ec616711e8a5c5c012ae99173d6

SHA512
53b0711320ba4cef176e7548646d44bb7c23c69d913cc948bc0f7880e771de640a7e73b474b11840f1a3602b57c93b0e9707f1b5a03495d58f022780405d2e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f830be2907982d5f0390f0a8135bf5e

SHA1
12cb9f18db81d505b5c1d3961bfbd08922840432

SHA256
39dd54202f4868a1058150403d25a943a644c3f5d1d67641f513e0a1247ad276

SHA512
ed0c2356d80f77568d7520ea0b4d9b17b052db9cf55c47a91e57bfbbd79166870b198b0e4590f413da234912337631965bfc8e622c38bf4229688f5dff3fae0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19111cf4f2348ac75c3a426c9680223f

SHA1
afdf8d431bdf5325cddcf679949812cc3f402529

SHA256
ddb93c65e8fcdd5b61b62e159d3419a65ef9f45490b9f0b6b55358086fe3e4bf

SHA512
a61e030f4713685885e1898ddde40fac29c6c68e830ca990e61c5011a45e7f98b4eb76084cf124db035a41c62342facae9c130726a9215e3e0e76e971c25fbda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfdf7aab55b8deb9182b231a79f53a08

SHA1
cae731fd8e5f1dffc4838fbeee60926269ea312c

SHA256
3644219177dce16f6cded054fa141dceda2fb62cac811cf791f6f30bfa90e8ee

SHA512
4e9a2ed4dcd2ee5e97ab33125ad7e86f973f6db40e3f6b1cac69fc4ca3f8a7c3871b78c71a850dfb061a17f6edaff41fbf00ebc4e3c211f57465d68148500972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52f0f8641777dc531961b4e9d1baeacf

SHA1
a250e82127319720481eaf0ce1cd8ffb5a6907dc

SHA256
50e7843b9249ec29f0a4437581d3ffb5411d1176b1c8596b6eca08d5445e30ac

SHA512
d82c0066dfc19d87869550eaf2555b16bdfc90c5c049fd49c58bc1a1013fccc49c522eda6d7a17ac49420a5ab33b963464a59bf341ff63d74c2388577e133e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d947cdcc59dcbbee12cadab0814effe

SHA1
41540c93b775748dfb74e769a548f1b0fad8dcc4

SHA256
a5d3e4c334c2d24f43d925a9b70bb8f3a85da2696a659070c20e1d19b466d365

SHA512
d08d466b52d8cc23be93faf952d836964f94d1b04f2b909fd34af2f175544f1f0eecac7fe61375336337d6a36b7ec93c413bb7bc5156774ec5106a4440ad79dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19f0d79d0f68d416662b89c69cd4349a

SHA1
f94f87ceaebdaf5d9755f573deafe237e6b61ae1

SHA256
b464878f85900b06c99f627faea8781ff3398410eb13a6b6c0f450f4d209c6dc

SHA512
fd8b61e9154adf48a48ff0e52e93a67f52298878f8beebedefb79a07b7a6a4c2aa6c88c1b0f571ff669153194f4f3d0bcdb8f73b512dbb675318af219fc8e2b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6121c9c6803d17be7e83be0a31f9d0e9

SHA1
fb0e52cebf18927307233849176b23b17874e971

SHA256
49453b4313631e8057d2b74f93131f288dd1a4f63bc1cccc69e221096aed18c4

SHA512
145abd1f8d105642c769d8b483db08c9c8ab54567304c1ec218fc3e82aff858dc0af2d4cb940648de11de91742792625e96094e1dfb96780cc884bdb03244d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1f38e75d1f79ad3b6ad1a36e2fe00c6

SHA1
813626e2cefee61e413fb38fa00c5ab777fd8959

SHA256
a5a3c24db59a9227c56bd4f15d20ced33e6b0d9d910d935415cc09c2cddf7284

SHA512
e4be607c23e8672b22d416abfcacb0b60fdbacc1111996e8ae953c4ae7b990046e2568d54300cd7725b28d29f4f036d412f8bc2ac70b17e794a88f0cc11e96e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d835cce2e2dcc45b8ed114f8ebb2d0a

SHA1
22352dd9cd7484483f850b5764f76a5b7466e4e4

SHA256
98f2220fee53482a110bacefe4d917c7842169c83da7afc60d0aae656819cf9b

SHA512
a59b09def181c06236754d5cbc62f8944d0e8f1ce068691a939ea9f1419792db2b4b843b916da0167fec27172d53ec1ab5827f0555bda4cdda7cb0ea21bb9b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13367c8a838ab69f2170f7be9047cd2b

SHA1
285c7b3a0e78a7852e02991629714666a52b85bc

SHA256
fa652dae38eb70968badbc09f0f75c2518133703cd331b1d345a39e48155e91e

SHA512
586cde9772e33fdebdc292c245123c391b66de2c710883c9694fa6d0f7581fc7fea8fc45ee6aa63d57ed47087e825fe8997bcd7aac4f0c8c9e34588777e9fdff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3e2c9bd26d42ac157e162a796031cb7

SHA1
06e813e33157fe66250c8d8c633473c31ddf12d9

SHA256
66c566d1bf455b1adfb4a4d1315d8685f9f6f15e70374544ceb38feead4bb97f

SHA512
753f780a664db08b141d464c41791d3c8d10f564559b2abd0984cb83b0ec2ace0ea0364547d1f5ad9950105b5c9da5e9c2d1d070677feec194313dba4866aeb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed0c2a57943ad029b209b35ab6034cc

SHA1
3191a5fa2c85604f15278ce9bd56ecc0f9fc0106

SHA256
c70c3494e71060f444bb7f0843d7266d92f6bb56faa359f46b23507e4b1d17fb

SHA512
43eeb6de42a0c86c18fc1decf41e43027c2f32f6a93d2aa39a375d1c773a99888d61c58029cdfce9430b6c283ef60461fc015d1ed31a570ae1b43b17480d5035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abcefba5399c125ebf8e54d3f2943575

SHA1
444dac3e215a21cf4f16f1921e50ed07fdf5b680

SHA256
cd615c1bdfceb895af9564d8411da50c974deab82a2ff64debb150efbb82f02f

SHA512
9344373cc458e33de45ba034e76c0e4fa023a2d91fb2dd8a3a0c5a0f9e689b6fcb97b44ac1b48f3162e0bc6f18822eda03cdbb4d74f1c19d6eb3a0f77158466b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60bfff74612a4eb799b89b2cf8b40a7f

SHA1
c025c7d6990be6db139ef9d3eecf76820dccc526

SHA256
73e1a4715603f0476870e8920500a1885782a1de34738337deb2c6c1e8bc8038

SHA512
eae15cefc7a7f79371ad55a2cb5968c5ff5ca46f5533235969390184d4337e2dd1c0d123c87281ed5590608ba1edfbfe43e80a6ffe408772770c4f10d59693d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab337F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33F1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
064de3bc29aaa635c7807d89f204c604

SHA1
8897db356ea5fa56dbcebf5debe2a7ee11c613ef

SHA256
2aa5806d0bb85b6610e5505d06975a780e3dcc16ccc7f16d05b43d5028c00f16

SHA512
1d10d54f7ac8aad5b4f0eed24583e5edfee457b12fe64b7c313baf09bdbe74186a538f4b2115f0eb96ea09656ad6b7672901613ea276d79a7693e11dd6d6b818

Download Submit
C:\Users\Admin\AppData\Roaming\raworigin.exe

Filesize
280KB

MD5
6d8b693c6ab6fe02cda6269b6dc8c844

SHA1
eaf1053619f14da17a421407a49d7b3221ef7718

SHA256
7a463066b8b47957b3a802a3dd533a84e3caed1fa20e1b9ff0a24c643a5c0c07

SHA512
2b890da65878c4bb6475d6027096b3e327b0a3587685135cef99066d63e902bb67d053fa07353ad27e28ea954a31834221f25acab30c213dcb3df7b51b7d6e88

Download Submit
C:\Users\Admin\Documents\raworigin.txt

Filesize
32B

MD5
1c6bc361b96332cb2184da6c0e06acb6

SHA1
6a24a78fe4d3b94753d11c52aad3df2f5089518d

SHA256
2632640b8d8c5eaad8ce9249fdd0398391390d7bd984d61d2d6a8fbfa06a2d4d

SHA512
695e25ef111ec028edbedad540575e6c604ec437c2a921c5995812f40651d6abd95d4b9db9c3042a2a46da2c9c695a170a96078517e0e43ed5f6dee6972bce56

Download Submit
C:\Windows\directx.sys

Filesize
29B

MD5
8e966011732995cd7680a1caa974fd57

SHA1
2b22d69074bfa790179858cc700a7cbfd01ca557

SHA256
97d597793ec8307b71f3cfb8a6754be45bf4c548914367f4dc9af315c3a93d9b

SHA512
892da55e0f4b3ff983019c11d58809fdcb8695d79c617ddc6251791308ee013bf097d1b4a7541140f7a01c56038a804974a4f154cc1b26e80e5cf5c07adf227c

Download Submit
C:\Windows\directx.sys

Filesize
75B

MD5
c6fe34354696c4b29823f5d84382bc07

SHA1
c1ab6bf9447f523035ac58aef1a97f27a310182c

SHA256
2213d1a1368cc9e8b9d2f1fdcd3303a16ac319267659ba9ae354a1b195d58fdc

SHA512
10a151d77a0646973104d8f3b7a3e95d0c3e4307ddad5629b66e6d2f02e0e47148aee8eb36a6e8bd12c20bb33a34cdc31d8120ecbf841bb2be5a189243fc868d

Download Submit
C:\Windows\directx.sys

Filesize
124B

MD5
16039abfc6d09e2c2e1db21db8c1c0b5

SHA1
c19716c728cf7cf4eadcc831caa5c29e3da61eb2

SHA256
c9874ae2c8e6c0c992dc1afb0f5f4c0f34686175fcb3b9003d28b3399ae4035f

SHA512
60660275e113bbc80337f289bca2b0c4ec69e7d1f1915f8cdbc77ef87e4c2b31bed27c5ba15ae18a76353c68b7dd8e6cd6cbadb0789c25201f1a17a982bd4ee6

Download Submit
C:\Windows\directx.sys

Filesize
75B

MD5
f666d9e4c4ec593fbc5074f4d278c380

SHA1
7fcb94c0ebab64d7c0c5cbe6d2c992da90828770

SHA256
d0781f3d144e4b18686d3208963a8677026bfd146dde2a1ad63b43459f377969

SHA512
b58b480ce224a7740f74b4e43265e760479d98a1c11f75e464b463b46dc7c0037b6781d3eeb18713bba5ddf3fea882572d04260094ad0264534b12608ca5f95d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
f04d7fe31ebf1dbb0405754e5c427520

SHA1
ab675d88224779b21400ded68855d1e2c985fb43

SHA256
d88d657bdf1ce6ff2d79e16df36abec3b903ea39ed53f45353492bbe218728d6

SHA512
c9c6455ebc8a95d08d1d16fe5e52321dc99d0f775f5fab11e04008006de6c6f5c23ed085b3f8e3669723de5b3ce1d83dfc5241df0c6965014066ed90b79674f9

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\cb4fab4e71dd1b69d127da402f1fc6e0_JaffaCakes118.exe

Filesize
1.6MB

MD5
e49e926e0d79c95c267feb22378c4087

SHA1
ae140b01e33fd37f4a0b618b61b2718454f62745

SHA256
1163beac07d18af88d5065cd42aa4735b0cbd827af002abed4de8c226d73632e

SHA512
0509153e11e2c5a1e6b4700e4570e9e691a7173326a13ce4c48ab669e2e6af7251c123dbe43de91a0777a5444f32b9cdfd14dddf8be0b510c34cec5ba9d4b2be

Download Submit
memory/1052-618-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1132-116-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1332-129-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1532-98-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1532-88-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/1532-87-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/1532-133-0x00000000045E0000-0x00000000045EC000-memory.dmp

Filesize
48KB

Download
memory/1532-13-0x0000000000880000-0x0000000000A24000-memory.dmp

Filesize
1.6MB

Download
memory/1532-12-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/1532-107-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/1824-178-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-183-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-184-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-181-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-176-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1824-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2052-195-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2060-165-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-146-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-154-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-155-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-156-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-157-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-159-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-137-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-139-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-161-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-162-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-201-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2060-167-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-170-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-151-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-168-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-153-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-148-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-149-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-142-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-144-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2060-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-152-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2276-97-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2304-635-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-90-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2416-86-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-106-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2884-1164-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/2884-1163-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/2884-1162-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2888-682-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download