Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:46
Static task
static1
Behavioral task
behavioral1
Sample
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe
-
Size
192KB
-
MD5
eab2950521e2e17f90c87bcb847cd3bd
-
SHA1
a2568f39a3c05d4f720ac39cc71dd4cffec13f34
-
SHA256
7e502264237f15a7caf41517a953083b8394e7c1550d64af01a94bae5d25117a
-
SHA512
94d704cf15e080f7c8851ee2a7dc6d114af67bdd15556333e71b838bf2b34ebabd3138f4855450cceae2a72b6bdd7e9216628011d63c1497a8d2cf8352117028
-
SSDEEP
6144:LnXWx4wSizY9r4BlDqFVhbdfq351C2lF/cQ:LnXWKwSCkcBlOF3b1t2L
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2836 mscorsvw.exe 2696 mscorsvw.exe 2148 OSE.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-457978338-2990298471-2379561640-1000 OSE.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-457978338-2990298471-2379561640-1000\EnableNotifications = "0" OSE.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\L: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\O: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\S: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\K: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\P: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\W: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\X: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\I: OSE.EXE File opened (read-only) \??\W: OSE.EXE File opened (read-only) \??\X: OSE.EXE File opened (read-only) \??\E: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\T: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\V: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\E: OSE.EXE File opened (read-only) \??\Z: OSE.EXE File opened (read-only) \??\H: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\R: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\Y: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\H: OSE.EXE File opened (read-only) \??\J: OSE.EXE File opened (read-only) \??\P: OSE.EXE File opened (read-only) \??\T: OSE.EXE File opened (read-only) \??\N: OSE.EXE File opened (read-only) \??\J: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\N: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\Q: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\U: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\Z: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\G: OSE.EXE File opened (read-only) \??\M: OSE.EXE File opened (read-only) \??\O: OSE.EXE File opened (read-only) \??\Y: OSE.EXE File opened (read-only) \??\G: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\M: eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened (read-only) \??\R: OSE.EXE File opened (read-only) \??\V: OSE.EXE File opened (read-only) \??\K: OSE.EXE File opened (read-only) \??\L: OSE.EXE File opened (read-only) \??\Q: OSE.EXE File opened (read-only) \??\S: OSE.EXE File opened (read-only) \??\U: OSE.EXE -
Drops file in System32 directory 35 IoCs
description ioc Process File opened for modification \??\c:\windows\SysWOW64\dllhost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\searchindexer.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vds.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\alg.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe OSE.EXE File opened for modification \??\c:\windows\syswow64\perfhost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msdtc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created \??\c:\windows\SysWOW64\msiexec.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\vssvc.exe OSE.EXE File created \??\c:\windows\SysWOW64\svchost.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe OSE.EXE File created \??\c:\windows\SysWOW64\dllhost.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\msdtc.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\wbengine.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\ieetwcollector.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\ui0detect.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe OSE.EXE File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe OSE.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files\windows media player\wmpnetwk.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe OSE.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove.exe OSE.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe OSE.EXE File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification \??\c:\windows\ehome\ehrecvr.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\ehome\ehrecvr.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\ehome\ehsched.exe OSE.EXE File opened for modification \??\c:\windows\servicing\trustedinstaller.exe OSE.EXE File created \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F6030A4B-75A0-47A0-978C-21FD52B18BA2}.crmlog dllhost.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe OSE.EXE File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock mscorsvw.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log mscorsvw.exe File opened for modification \??\c:\windows\ehome\ehsched.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe OSE.EXE File opened for modification C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{F6030A4B-75A0-47A0-978C-21FD52B18BA2}.crmlog dllhost.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat mscorsvw.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe OSE.EXE File opened for modification \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File created \??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe File opened for modification \??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mscorsvw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OSE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap SearchIndexer.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE 2148 OSE.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2752 eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeSecurityPrivilege 2468 msiexec.exe Token: SeManageVolumePrivilege 2720 SearchIndexer.exe Token: 33 2720 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2720 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2148 OSE.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2192 SearchProtocolHost.exe 2192 SearchProtocolHost.exe 2192 SearchProtocolHost.exe 2192 SearchProtocolHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2192 2720 SearchIndexer.exe 38 PID 2720 wrote to memory of 2192 2720 SearchIndexer.exe 38 PID 2720 wrote to memory of 2192 2720 SearchIndexer.exe 38 PID 2720 wrote to memory of 2776 2720 SearchIndexer.exe 39 PID 2720 wrote to memory of 2776 2720 SearchIndexer.exe 39 PID 2720 wrote to memory of 2776 2720 SearchIndexer.exe 39 PID 2720 wrote to memory of 2672 2720 SearchIndexer.exe 41 PID 2720 wrote to memory of 2672 2720 SearchIndexer.exe 41 PID 2720 wrote to memory of 2672 2720 SearchIndexer.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eab2950521e2e17f90c87bcb847cd3bd_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2836
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe1⤵
- Executes dropped EXE
PID:2696
-
C:\Windows\system32\dllhost.exeC:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}1⤵
- Drops file in Windows directory
PID:2564
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-457978338-2990298471-2379561640-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1"2⤵
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:2776
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 512 516 524 65536 5202⤵PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
284KB
MD5e439430997faf032bb90db4cb3cfb85d
SHA1f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8
SHA256d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb
SHA51298f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c
-
Filesize
1.2MB
MD58174bc516ba6943da8e0f2daec453f27
SHA1414db3d2b6875d529a290517033fbf8002a4b319
SHA256f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a
SHA512a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96
-
Filesize
284KB
MD5a144fa37a976c46c0e9b1c469be40730
SHA1658dff7b692b81cca65e29043a2836ee0b406c79
SHA256ad90010304f212dcd7b5970edf549a48658b7c955042d469cf5bb4c323511b39
SHA512e635255f805ef20b525729118ade4ea82559d025fc99d745bf3d469151cc11805deb47a6d5e4fb4a0d06a7491573a4106d077480de6f451d7fe30b000e57b0fc
-
Filesize
1024KB
MD51b2f65afbda6cbfebea33fef7eb74abb
SHA1ca561f4001ce8b1835eadc70df9a45a5395fa341
SHA256609818d66d5b0fa4eaae604d6a0821db0b1bc7736e8428bf175bdf3dec91dbc2
SHA512e56299ef6da60466c54b5a4a85b5d46997b321de2d222f0ec24393f6fac20c0c900d1d68e644401e293180f38f3e88ac1169e218fcee92493849f23405dd85aa
-
Filesize
203KB
MD5d5ebf38ee4bf5f3c6c83bee301d74694
SHA1f845e78ada48e265e2eb2957043511668797fdc1
SHA2560f2a9693509766c31adc09c8bdfabc214c90307ebef1c7a10d99953c90f9e6fa
SHA512e8882fedb7633f591f7f557675ddedd61ec5325661bdd56109e8223dec095b96cd5cca461f72fe4ff287e2553891cce6b10f75fcaad76a3cdb3d0befb2178157
-
Filesize
1003KB
MD59810c8c671df75d086440c2422e8d23b
SHA1752b44716a6db0bd12c3b21942d823115eea7869
SHA2561aacfd956b689f3ad101b48609ac3b66197d9a6996755653b315bfd792f22e51
SHA512006c9a0f3d579686800f41ddce3125c58d6d5765bef08daea15804b128f8669715a9fb1eccbfb640e01d2ef91a39fa53a61ab7cf3c68035089d6a20a8320debd
-
Filesize
234KB
MD52dfade6b1cd6ffce496c5dc2394ae41b
SHA1d6663ccdbf351c47b9ce66d34d9a07b2203480ec
SHA2562ba09e29d9adf084a232fd5d24d09a7196a88a214106826762b8247c85e04f73
SHA5128d33a3b88cf92065f01b5777885fb65bdc41f2217b7ccd60523f4408738a6bcae17332d4c7185d4defd3618bf4fc868b296d1e0d9ae04c80464aac3bb8d3922b
-
Filesize
29.7MB
MD542293d6f2af3d8ffc3d60bce17030317
SHA1ce4ad9207b8ebc3c3c99eaded02cc2f3dda2111e
SHA25652c4d776ed740c469692be5b786bb83b4e6a07dfb7b559d7a8e7454d9c60e8a6
SHA5123a6320d27b70f4efad31a24d12c322f610aa0303b318ff29ee7dfd716e9aa2541923addcd6184997c2559b73303a4ab1ad5651c71014c2fe7571051c0b978454
-
Filesize
164KB
MD565fe15d5c6f5a574010c81102be1594c
SHA17fec835637ba1a1258fdacb7c1914687a892525b
SHA2560c3a09635d73c83668ad07433d3456255ac5f5bf7a105346dfd169422f4ac1f0
SHA51218bb1883db8d88eb95189c950d46889f97dee5c7139d0c0a9510e314f8637384636944c1812019dc8073aeea68cbc8ca23344557ba5415b4f02696b14751798d