abb3d6c47303c0997c01fe57c4d65fb6584d1b71ba6c9ead3c444a1af0999814

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
Size

184KB
MD5

d1fb5d13b37003fcdc03fb60c37b2fa7
SHA1

986f9d12c3d8594f092575325a715c94cf69afc3
SHA256

abb3d6c47303c0997c01fe57c4d65fb6584d1b71ba6c9ead3c444a1af0999814
SHA512

c4938a6fc7b0797c2f2f301969e73ec9d02a8a212c1e836fd168004d2ea48265ff9ab50b76bb58edf71b07d93030217ec5a847235f642daf4abbabb964b74489
SSDEEP

3072:Jw8LkOcHTTWpCM2JubEyyy6stvr7X5hZxbpyaV5DEjwowowowowowowowowowowy:zkbHTiIubE30ZhZxbpvqwowowowowowk

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\S:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\W:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\I:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\P:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\X:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\Z:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\G:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\J:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\K:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\Q:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\R:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\T:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\U:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\V:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\H:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\M:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\N:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\O:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\Y:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened (read-only)	\??\E:	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBrowserUpgrade.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 2416	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	30
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21
PID 808 wrote to memory of 1184	808	d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Users\Admin\AppData\Local\Temp\d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d1fb5d13b37003fcdc03fb60c37b2fa7_JaffaCakes118.exe"
    3⤵
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
8c079de1ce7cd930ff74aab52963b61c

SHA1
69927e1dbd9e93ba133b169ff371e8af2c8b654c

SHA256
ef5f42a7026b4da56ed91d8ef67da8d3da5e93877141e8e4fb074d1f6e8cd0d9

SHA512
ec9637f37f93b2aff2a90ae9b163835855ea730f40ba08168b89a33edf114e23b4163e56e607081125a172fe6a63454a7c6ebb00cfe6270d8aa6d7b63ea99a04

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
2419427c37bade44da30c0818a89cb07

SHA1
78bb95183333ab1da3d9672582b990d0cd20b178

SHA256
f16bbb0c137e684ced0ee0d3887efa1bd951875b618182b6de562a4938b31b80

SHA512
e5ce82de68aa706f604d445c8c115ff518d8961ee6ffc37161a15872bff9158342e2ca829f7f26b10577406a34c1d368b7d2ac2ed2ddd998354c5a63f2b9283c

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
2e4e775be123e049eb9018239025cbf5

SHA1
8bec1641a41b86e810a56fc151cc857a942d8505

SHA256
8f106403731090b2ebbfa152f378e8f0b6dd538527a58082e0a802e6f0c0bca9

SHA512
b01e3711eb57040596e8296f81f0685132eed7cf2b4be865848704bb1a4297614fa9068ea23a8fbf890605c347047d325b4a7ad4844f5f1f5a7630af6dbb2686

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
74eb5ca34ed90c6a5fcfc044c48eac27

SHA1
87fcd08f3238fc5a8e85ea477a496ed9fb102f98

SHA256
996245847991c59b2e743602a58f1519c7b2fd7925a026508b572d12f6e01d84

SHA512
7d135cfe7076d0aec193cf09d6548a3ff6f89ebf2c437f3599eaf309a913dbceb57e77429b57a3c0954e4ca25dcfd514fa42fd9c17d78a52be747155d1b98329

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
9cd6941585dc7b3be16793c81176daa4

SHA1
cce4884e21dcf7a6c2661bff526055317fc7a78f

SHA256
70e565461552f7a38ed972fb0451754cca222080c2fc7eaf3117f8a80acfe703

SHA512
0e058623730c52f911d039d3c0f5da92823a02274227fabc56cda44d02ad812fd74683737f693845b79eabfbea2cc5bd27ecd4ad4d13d64dbfe1e475af06d82d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
68ca17ed62b7822209d8456707790acb

SHA1
b6e2f7f53a5e885c4f90625f2d7281b227848828

SHA256
aa048754cb32743ff97cb50172c0f4c6732a7acf473b6f16c6da5941e4b15511

SHA512
576e8c77d353cf1c1d6f1f79e45bf91abdc706db7a1de5ec3e3ad47a55bda3f82fcd56518d16a5b32206124ea19ea2481b9e0f6f29ba51513785b8a41e509a1b

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
2607bf8bfbc1916a9b3c11c74eba682a

SHA1
9e502fe474c93a624429987d9291b920e597f4f8

SHA256
b96a61bf5dbcd2e7929fc49548e2b8757fcee9d7a4ab482b564a5a8e5e1c2f18

SHA512
2dfecae4758b84441f3513a7e5e97ba4802bfdd0d6db298d8e2fb54304572f762e2e2adca5e04fa9d4237b735c9af327704351226dfc0d84129cc442528dd4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
a18b6c1144a860f4662214fc0230d778

SHA1
f04c22aa9fc3c967e3e589a78d3bc2239d3f13ba

SHA256
6dc0d915a1ed31029f25afb64828fcb9cb210edfc00d59c2dda6e91acd196dc2

SHA512
56b0b9827bdfab187128fc97e60df9f71b56150f9b9d52719ade36c5e50946d4fbd7046d57f4ed7bbb20bd60543d61db5c4a06c0c1a29dcd4154baa4ee1b34b5

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
d589657ad03c47ce8d8b897ed92f4b92

SHA1
1b18c6ce9be42d0b51dab4ce890fbbbea3f242e9

SHA256
4a237ae22ff07be60c8c4212fffe9d70bcfb99a6306792893cd6b07cb578bae2

SHA512
6e07ac4b75ba917e85744a0efdc4f9af57fbead6f923d373f4387e79048a1d8a49073fa735116e72682f8e7b26e65193bd7f9c0f65fadd39a5d4ff1822af4e78

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
8f9e639f392f54c6c540e4763d99ca58

SHA1
fb13bd9b0a3b3c153f8cef54ee586473806a5ed6

SHA256
d7da417e2cf405c8c624304aa8770d28dbf427ca3ecd4a979bbec8c91a8bbed9

SHA512
8da70e4d2505d208dad4dcfac366f8df0cb88badd2778ef6409c89be3227b43b9f44642c62d480aaa9d1b1f428307de8e31ec1383600127acd1ef5211f552b6c

Download Submit
memory/808-471-0x0000000000240000-0x0000000000272000-memory.dmp

Filesize
200KB

Download
memory/808-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/808-470-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1184-5-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1184-4-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2416-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads