7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Size

192KB
MD5

eab2950521e2e17f90c87bcb847cd3bd
SHA1

a2568f39a3c05d4f720ac39cc71dd4cffec13f34
SHA256

7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a
SHA512

94d704cf15e080f7c8851ee2a7dc6d114af67bdd15556333e71b838bf2b34ebabd3138f4855450cceae2a72b6bdd7e9216628011d63c1497a8d2cf8352117028
SSDEEP

6144:LnXWx4wSizY9r4BlDqFVhbdfq351C2lF/cQ:LnXWKwSCkcBlOF3b1t2L

Score

7^/10

credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2836	mscorsvw.exe
2696	mscorsvw.exe
2148	OSE.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-457978338-2990298471-2379561640-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-457978338-2990298471-2379561640-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\L:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\O:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\S:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\K:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\P:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\W:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\X:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\E:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\T:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\V:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\H:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\R:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\Y:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\J:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\N:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\Q:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\U:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\Z:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\G:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\M:	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\dllhost.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F6030A4B-75A0-47A0-978C-21FD52B18BA2}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F6030A4B-75A0-47A0-978C-21FD52B18BA2}.crmlog	dllhost.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE
2148	OSE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2752	eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeManageVolumePrivilege	2720	SearchIndexer.exe
Token: 33	2720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2148	OSE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2192	SearchProtocolHost.exe
2192	SearchProtocolHost.exe
2192	SearchProtocolHost.exe
2192	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2192	2720	SearchIndexer.exe	38
PID 2720 wrote to memory of 2192	2720	SearchIndexer.exe	38
PID 2720 wrote to memory of 2192	2720	SearchIndexer.exe	38
PID 2720 wrote to memory of 2776	2720	SearchIndexer.exe	39
PID 2720 wrote to memory of 2776	2720	SearchIndexer.exe	39
PID 2720 wrote to memory of 2776	2720	SearchIndexer.exe	39
PID 2720 wrote to memory of 2672	2720	SearchIndexer.exe	41
PID 2720 wrote to memory of 2672	2720	SearchIndexer.exe	41
PID 2720 wrote to memory of 2672	2720	SearchIndexer.exe	41

C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2192
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:2776
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 520
  2⤵
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
a144fa37a976c46c0e9b1c469be40730

SHA1
658dff7b692b81cca65e29043a2836ee0b406c79

SHA256
ad90010304f212dcd7b5970edf549a48658b7c955042d469cf5bb4c323511b39

SHA512
e635255f805ef20b525729118ade4ea82559d025fc99d745bf3d469151cc11805deb47a6d5e4fb4a0d06a7491573a4106d077480de6f451d7fe30b000e57b0fc

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
1b2f65afbda6cbfebea33fef7eb74abb

SHA1
ca561f4001ce8b1835eadc70df9a45a5395fa341

SHA256
609818d66d5b0fa4eaae604d6a0821db0b1bc7736e8428bf175bdf3dec91dbc2

SHA512
e56299ef6da60466c54b5a4a85b5d46997b321de2d222f0ec24393f6fac20c0c900d1d68e644401e293180f38f3e88ac1169e218fcee92493849f23405dd85aa

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
d5ebf38ee4bf5f3c6c83bee301d74694

SHA1
f845e78ada48e265e2eb2957043511668797fdc1

SHA256
0f2a9693509766c31adc09c8bdfabc214c90307ebef1c7a10d99953c90f9e6fa

SHA512
e8882fedb7633f591f7f557675ddedd61ec5325661bdd56109e8223dec095b96cd5cca461f72fe4ff287e2553891cce6b10f75fcaad76a3cdb3d0befb2178157

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
9810c8c671df75d086440c2422e8d23b

SHA1
752b44716a6db0bd12c3b21942d823115eea7869

SHA256
1aacfd956b689f3ad101b48609ac3b66197d9a6996755653b315bfd792f22e51

SHA512
006c9a0f3d579686800f41ddce3125c58d6d5765bef08daea15804b128f8669715a9fb1eccbfb640e01d2ef91a39fa53a61ab7cf3c68035089d6a20a8320debd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
2dfade6b1cd6ffce496c5dc2394ae41b

SHA1
d6663ccdbf351c47b9ce66d34d9a07b2203480ec

SHA256
2ba09e29d9adf084a232fd5d24d09a7196a88a214106826762b8247c85e04f73

SHA512
8d33a3b88cf92065f01b5777885fb65bdc41f2217b7ccd60523f4408738a6bcae17332d4c7185d4defd3618bf4fc868b296d1e0d9ae04c80464aac3bb8d3922b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
42293d6f2af3d8ffc3d60bce17030317

SHA1
ce4ad9207b8ebc3c3c99eaded02cc2f3dda2111e

SHA256
52c4d776ed740c469692be5b786bb83b4e6a07dfb7b559d7a8e7454d9c60e8a6

SHA512
3a6320d27b70f4efad31a24d12c322f610aa0303b318ff29ee7dfd716e9aa2541923addcd6184997c2559b73303a4ab1ad5651c71014c2fe7571051c0b978454

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
65fe15d5c6f5a574010c81102be1594c

SHA1
7fec835637ba1a1258fdacb7c1914687a892525b

SHA256
0c3a09635d73c83668ad07433d3456255ac5f5bf7a105346dfd169422f4ac1f0

SHA512
18bb1883db8d88eb95189c950d46889f97dee5c7139d0c0a9510e314f8637384636944c1812019dc8073aeea68cbc8ca23344557ba5415b4f02696b14751798d

Download Submit
memory/2148-139-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2148-44-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2696-24-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2720-49-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/2720-88-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/2720-94-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/2720-100-0x0000000003E70000-0x0000000003E78000-memory.dmp

Filesize
32KB

Download
memory/2720-102-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/2720-111-0x0000000003ED0000-0x0000000003ED8000-memory.dmp

Filesize
32KB

Download
memory/2720-65-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2752-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-2-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2752-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2836-30-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2836-13-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download