blackmoon | 7c5050753cbab1d4f72a0ef6ea8c06a68d6ea831ea84c9a8ff70614d3b656e91

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Size

7.6MB
MD5

db4783d98a68a9798aa3c953999e98e4
SHA1

d8c76af371431c7211aff2758e2a2067168e5027
SHA256

7c5050753cbab1d4f72a0ef6ea8c06a68d6ea831ea84c9a8ff70614d3b656e91
SHA512

68fe18c9bb7b04e3cecb6e17f265c6919b740e935a53f8c10740b71c9b096367a335cbb74f312b8a8088d209fd08c49bfa353b0f7b46f13cff397bcfcfce0986
SSDEEP

196608:Ta9+6Y7SOEibgR7ZOfeWKCBoDmpZPzmGP8cGBfWJGBfWzb:TFgR7ZOfeWKCBoC2GuWeW

Score

10^/10

blackmoon xmrig banker discovery evasion miner persistence spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x0000000000619000-memory.dmp	family_blackmoon
behavioral2/files/0x00020000000229c7-66.dat	family_blackmoon
behavioral2/memory/1896-363-0x0000000000400000-0x0000000000619000-memory.dmp	family_blackmoon
behavioral2/memory/1896-525-0x0000000000400000-0x0000000000619000-memory.dmp	family_blackmoon

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x0000000000619000-memory.dmp	xmrig
behavioral2/files/0x000800000002341f-7.dat	xmrig
behavioral2/files/0x00020000000229c7-66.dat	xmrig
behavioral2/memory/1896-363-0x0000000000400000-0x0000000000619000-memory.dmp	xmrig
behavioral2/memory/3100-389-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-392-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-394-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-413-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-414-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-424-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-425-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-524-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/1896-525-0x0000000000400000-0x0000000000619000-memory.dmp	xmrig
behavioral2/memory/3100-526-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-527-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-528-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-529-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-530-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig
behavioral2/memory/3100-531-0x0000000000400000-0x00000000004DA000-memory.dmp	xmrig

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x0000000000619000-memory.dmp	upx
behavioral2/files/0x00020000000229c7-66.dat	upx
behavioral2/memory/1896-363-0x0000000000400000-0x0000000000619000-memory.dmp	upx
behavioral2/memory/1896-525-0x0000000000400000-0x0000000000619000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dialer.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\driverquery.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cleanmgr.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msra.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcPing.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autoconv.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dccw.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\finger.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mspaint.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PackagedCWALauncher.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wowreg32.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\efsui.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicpl.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\logman.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcconf.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgentc.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winrs.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WSManHTTPConfig.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthudtask.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cliconfg.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\credwiz.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HOSTNAME.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SyncHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fixmapi.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mavinject.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SearchFilterHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\verclsid.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ThumbnailExtractionHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\clip.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\extrac32.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iscsicli.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\poqexec.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sdbinst.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eventcreate.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\recover.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sxstrace.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TokenBrokerCookies.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xcopy.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMETC\IMTCPROP.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\find.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\getmac.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\subst.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\autochk.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexpress.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chcp.com	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cacls.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TRACERT.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ttdinject.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LaunchTM.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\BackgroundTransferHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chkntfs.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fontdrvhost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\setup_wm.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\RestartRegister.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79609\java.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Mail\wabmig.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\r\ScriptRunner.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-errorreportingcore_31bf3856ad364e35_10.0.19041.1081_none_955497efbb030cb9\r\wermgr.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setx_31bf3856ad364e35_10.0.19041.1_none_6267e352b86de969\setx.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\scoobeoutro-main.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-5.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\SecurityHealthService.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_10.0.19041.1_none_3d62a57d3b12dcf1\print.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\AddSuggestedFoldersToLibraryDialog.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..microsoftedgebchost_31bf3856ad364e35_10.0.19041.1_none_14b1d8fa41ae50fb\MicrosoftEdgeBCHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..biometrics-trustlet_31bf3856ad364e35_10.0.19041.1266_none_ba0845abb58c8bdd\r\BioIso.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoftwindowssystemrestore-tasks_31bf3856ad364e35_10.0.19041.84_none_2c3254d57443e050\r\SrTasks.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\XblGameSaveTask.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorQuickStart.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..auncher-cmdlinetool_31bf3856ad364e35_10.0.19041.1_none_ad30f89d0263039b\pwlauncher.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..ntalcontrolsmonitor_31bf3856ad364e35_10.0.19041.1266_none_bfb5312df2d5c960\WpcMon.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..vercommandlinetools_31bf3856ad364e35_10.0.19041.1_none_70349c6644208282\tsprof.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1_none_6f451098bef6266e\WmiApSrv.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\405.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslconfig_31bf3856ad364e35_10.0.19041.117_none_7f3778d7035d9622\r\wslconfig.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_22b99d078bbc3016\r\setup_wm.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-oobe-firstlogonanimexe_31bf3856ad364e35_10.0.19041.1_none_81400e8a2cfebcbb\FirstLogonAnim.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..packagedcwalauncher_31bf3856ad364e35_10.0.19041.1_none_992adeb39ce930a0\PackagedCWALauncher.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appid_31bf3856ad364e35_10.0.19041.1202_none_cc0c3d35675da3a1\appidpolicyconverter.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_multipoint-wmsuseragent_31bf3856ad364e35_10.0.19041.746_none_3ed4d566b640ef5b\f\WmsUserAgent.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ervicing-management_31bf3856ad364e35_10.0.19041.746_none_46f79836a0dc7206\Dism.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrormfnotfound.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..raries-servercommon_31bf3856ad364e35_10.0.19041.264_none_91c1d6c40350b1b6\iissetup.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\wmplayer.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\PrintDialog\PrintDialog.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1_none_b29cb2f3845833b7\UevAgentPolicyGenerator.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-pnputil_31bf3856ad364e35_10.0.19041.1151_none_7233d7a171b1272a\r\pnputil.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_10.0.19041.1_none_f8d6d7787573666b\powershell_ise.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-htmlhelp_31bf3856ad364e35_10.0.19041.1_none_889bae88587ac38a\hh.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1_none_ac040ccaa73c8c1b\instnm.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-xbox-gameoverlay_31bf3856ad364e35_10.0.19041.746_none_2703bed0ba809808\GamePanel.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_45a6c0aa2ed16c7c\http_400.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_smsvchost_b03f5f7f11d50a3a_4.0.15805.0_none_6d5f51303f9aca21\SMSvcHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobeFooterHost.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\http_404.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_d1f435fdf91e63d5\hstscerterror.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ed-chinese-moimeexe_31bf3856ad364e35_10.0.19041.746_none_c3054a007d804943\f\ChsIME.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ddodiag_31bf3856ad364e35_10.0.19041.1_none_f69c49e870acf520\ddodiag.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_10.0.19041.1202_none_3fe90cdb6667211e\r\wevtutil.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\sslnavcancel.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\500-18.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttune_31bf3856ad364e35_10.0.19041.1_none_697599f55de29ec6\cttune.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_wpf-xamlviewer_31bf3856ad364e35_10.0.19041.1_none_0bff5a051c4a690a\XamlViewer_v0300.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-errorreportingfaults_31bf3856ad364e35_10.0.19041.1081_none_ef39acce2648e404\WerFaultSecure.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-nslookup_31bf3856ad364e35_10.0.19041.1_none_8bc62bc63a30d6fb\nslookup.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_it-it_2fceb6f1060351fa\pdferrorrenewrentallicense.html	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\PhishSite_Iframe.htm	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-grouppolicy-script_31bf3856ad364e35_10.0.19041.572_none_42ec0e96ce977bdb\r\gpscript.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..te-orchestratorcore_31bf3856ad364e35_10.0.19041.1266_none_fb98272b39a47240\f\usocoreworker.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wusa_31bf3856ad364e35_10.0.19041.1151_none_21d0a68ccdc67be8\f\wusa.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-legacyhwui_31bf3856ad364e35_10.0.19041.1_none_a2b9da391bff31c4\hdwwiz.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.207_none_c5e1b9def3522696\f\securekernel.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_10.0.19041.1_none_a5ebe4c7bdb5bb85\cttunesvr.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-webauth_31bf3856ad364e35_10.0.19041.746_none_099c40ad55bc5d6c\f\AuthHost.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-b..re-memorydiagnostic_31bf3856ad364e35_10.0.19041.1_none_987b063fd85ba334\memtest.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..switch-toasthandler_31bf3856ad364e35_10.0.19041.746_none_b2e64138c9682982\f\InputSwitchToastHandler.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_10.0.19041.928_none_b321f2c2ab7710a2\f\sdbinst.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..perience-ait-static_31bf3856ad364e35_10.0.19041.1202_none_a5a4c3f2637b55fa\aitstatic.exe	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Token: 33	1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3100	svchost.exe
Token: SeLockMemoryPrivilege	3100	svchost.exe
Token: SeLockMemoryPrivilege	3100	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 3100	1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe	86
PID 1896 wrote to memory of 3100	1896	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db4783d98a68a9798aa3c953999e98e4_JaffaCakes118.exe"
1⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1896
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
7.7MB

MD5
c844322b526396c4a584b559f6fd23bc

SHA1
7884f3094971b03701ae3e3285fb0442a1c3e3d7

SHA256
26112dc8864b6cd83ea7e46226470a9f8dc7a4fde45e89a6a50b999fa5bcf455

SHA512
e757941b9720c33a95fe312f6c04842e804e591125d1d00bee3aee0ddf23a44c1de3cc0928ded36700deb8b192e7af95eae33520ab1192a03dee62197ba513af

Download Submit
C:\Windows\config.json

Filesize
1KB

MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe

Filesize
833KB

MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
3ffa93ae5a1cbf76fb9723ed4753344a

SHA1
889180d1b48a14882b757684966152fc06bbe332

SHA256
c39dffdc4cbf556cba6128827ccde739a6cc53a84c677f37ff2a984f1e226c4c

SHA512
305806f724f5caff01f4803a288094ba16c17519724afd98426320c4d6ea1e8962f50c7c81f1dd5bd1fdc816a3d86234c6b1a3b6a9af8f9386687e0d2ab892e7

Download Submit
memory/1896-0-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/1896-363-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/1896-525-0x0000000000400000-0x0000000000619000-memory.dmp

Filesize
2.1MB

Download
memory/3100-424-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-389-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-414-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-394-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-425-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-392-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-524-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-413-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-526-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-527-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-528-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-529-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-530-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/3100-531-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads