Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 01:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe
-
Size
69KB
-
MD5
eec73d5e57d461298462bda0ae7097fc
-
SHA1
a7796955e0475408e42c70e1839d654c5c428885
-
SHA256
ee4e13296df83a615961a3f0b198df16dc872b758b19a2642fdc16c59ee1c0d2
-
SHA512
3c3587482479169b512d51b6637d9ee0136a4d0e6b86c5cde9081dac9497d85e2db7d92f2725883ad4628b0ab029d960bd0ed5c9ea1fc1baaf633dbf78d5cf0c
-
SSDEEP
1536:EvzwF+cEpvnFbnL+43LIPnlEZfamCaYM4HPmqZZna7:3knF+4ctmtrq3ZZa7
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\System32\\userinit.exe,C:\\WINDOWS\\Film Porno.exe," eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Film bokep.com eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Film bokep.com eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fil Porno.vbs eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Film Porno.vbs eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnline = "C:\\WINDOWS\\Film Porno.exe" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\G: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\Q: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\U: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\Y: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\Z: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\H: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\I: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\P: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\R: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\X: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\E: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\N: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\S: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\V: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\A: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\J: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\K: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\L: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\M: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\O: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\T: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File opened (read-only) \??\W: eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Modifies WinLogon 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\WINDOWS\\Film Porno.exe," eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = " !!! W32.Topinsutki.Moontok.B !!! " eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = " --- Hentikanlah kesombongan kalian --- ...Apa kalian tau rasanya menjadi manusia yang sia-sia?Apa kalian tau rasanya setiap saat dihina dan tidak mampu merasakan kesenangan kalian?Aku yakin selama hidup kalian tidak pernah sedikitpun merasakan rasa sakit itu?Wahai kalian yang ada di bumi ini,Kalian yang telah memojokanku dan Kalian yang telah merusak semua kesenanganku,Kalian hanya melihatku sebagai anak yang menyedihkan yang harus kalian singkirkan,kalian hanya memberiku satu-satunya jalan untuk membalas keputusan yang telah kalian buat,...Terima kasih...kini kalian akan melihat darah di kedua tanganmu yang tak akan pernah bisa di bersihkan dan kini aku akan hadir membangkitkan generasi yang lemah dan tak berdaya untuk melawan !!! Paray City 1 Juni 2007 !!! ----By Moontok #VM Community----" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\comp.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\eudcedit.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\icsunattend.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\Register-CimProvider.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\TapiUnattend.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\perfmon.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\gpscript.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\ntprint.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\backgroundTaskHost.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\credwiz.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\logman.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\upnpcont.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\xcopy.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\mshta.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\CertEnrollCtrl.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\msra.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\tracerpt.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\reg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\chkntfs.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\GameBarPresenceWriter.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\AtBroker.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\CameraSettingsUIHost.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\iscsicli.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\findstr.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\ROUTE.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\SystemPropertiesAdvanced.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\mmgaserver.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\PkgMgr.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\setx.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\fontview.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\autofmt.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\bitsadmin.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\mmgaserver.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\OneDriveSetup.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\OposHost.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\sethc.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\agentactivationruntimestarter.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\DWWIN.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\cmdkey.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\nslookup.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\netbtugc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\DpiScaling.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\mtstocom.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\regsvr32.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\sdiagnhost.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\dllhost.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\fc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\grpconv.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\wlanext.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\ieUnatt.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\InfDefaultInstall.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\sdchange.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\efsui.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\netsh.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\shutdown.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\RMActivate.exe.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\RpcPing.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\tcmsetup.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\w32tm.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\label.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jre-1.8\bin\tnameserv.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\organize_poster.jpg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Windows Media Player\wmplayer.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jre-1.8\bin\orbd.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MissingAlbumArt.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\jstack.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Tracing.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-RTL.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateSetup.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\media_poster.jpg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\10.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Wood.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jre-1.8\bin\java-rmi.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Sounds\SpeedLimitViolationAlert.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\jhat.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Windows Media Player\wmpnetwk.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AboutAdsGenericBackgroundImage.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireLargeTile.scale-100.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\VideoLAN\VLC\uninstall.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireWideTile.scale-100.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg7.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\jrunscript.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\ktab.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Alarm08.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Windows Ding.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\onestop.mid.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Ring07.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Windows Notify.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.1266_none_fb76f6fb7e78a373\InputApp\InputApp\Assets\KbdFunction.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Web\4K\Wallpaper\Windows\img0_768x1366.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\topGradRepeat.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_48.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Windows Notify.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\PeopleExperienceHost.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\SecureAssessmentBrowser.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\KbdFunction.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Alarm09.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Ring03.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Windows Print complete.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\splwow64.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Speech Off.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMSvcHost\v4.0_4.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\KbdSwipeGesture.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\help.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\tada.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Web\Wallpaper\Theme2\img9.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Speech On.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Windows Error.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\town.mid.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\ScreenClipping\ScreenClipping\Assets\Sounds\camerashutter.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\chord.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Windows Hardware Fail.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\onestop.mid.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Web\Wallpaper\Theme2\img12.jpg.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_10.0.19041.746_none_fa033ad7aa9be481\Speech Sleep.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Ring06.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Speech On.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Windows Ringin.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Windows Startup.wav.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.173_none_6486f23c2831aaf3\InputApp\Assets\KbdFunction.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Microsoft.NET\Framework64\v2.0.50727\AppLaunch.exe.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\Media\Windows Shutdown.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\notify.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Ring05.wav.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\flourish.mid.exe eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Modifies Control Panel 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\s1159 = "[ Moontok.B ]" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\s2359 = "[ Moontok.B ]" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\HungAppTimeout = "900000" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\WaitToKillAppTimeout = "900000" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Mouse\DoubleClickSpeed = "900" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Microsoft Internet Explorer provided by +++++<W32.Topinsutki.Moontok.B>+++++" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.infokomputer.com/" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://www.infokomputer.com/" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://www.infokomputer.com/" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.infokomputer.com/" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.infokomputer.com/" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4696 eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe -
System policy modification 1 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveSearch = "1" eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eec73d5e57d461298462bda0ae7097fc_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4696
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD5eec73d5e57d461298462bda0ae7097fc
SHA1a7796955e0475408e42c70e1839d654c5c428885
SHA256ee4e13296df83a615961a3f0b198df16dc872b758b19a2642fdc16c59ee1c0d2
SHA5123c3587482479169b512d51b6637d9ee0136a4d0e6b86c5cde9081dac9497d85e2db7d92f2725883ad4628b0ab029d960bd0ed5c9ea1fc1baaf633dbf78d5cf0c