cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04

Analysis

max time kernel
134s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Size

149KB
MD5

2aca3f75294e962c8f5efab3326e9117
SHA1

81c045eb5f76697e786647b765d365d0262ab218
SHA256

cd946f863145acbd83117ccb6ca83d5fe37207e3fa1d0751211ae5c6c0a21c04
SHA512

f637604a0a76ac10a05770a79274d8e88f4c33c89beb7af83a3919471d4739020c235531f6b3c8c8039b543f71a51782d27cfcd6420f1a812c838a59ec85004e
SSDEEP

1536:RXcxTLIUH22hNPzEY0nbe6i4YrJENmjIDCJDGYygwtHZRzoeJPIHYZ0gr4OOUkN0:RRUB9zEY0beD4YbUGQYqXz/PIHjMRSu

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exemspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uanmng = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Uanmng.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

mspaint.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\F:	mspaint.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

description	pid	process	target process
PID 236 set thread context of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 set thread context of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exesvchost.exemspaint.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exeiexplore.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434643757"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{95D728D1-8645-11EF-81C1-5EE01BAFE073} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

pid process

2756 2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
2756 2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

pid process

1908 2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

pid	process
2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

pid	process
1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exemspaint.exeIEXPLORE.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Token: SeDebugPrivilege	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
Token: SeDebugPrivilege	2088	mspaint.exe
Token: SeDebugPrivilege	1056	IEXPLORE.EXE
Token: SeDebugPrivilege	2872	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

576 IEXPLORE.EXE

pid	process
576	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

mspaint.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2088	mspaint.exe
2088	mspaint.exe
2088	mspaint.exe
2088	mspaint.exe
576	IEXPLORE.EXE
576	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE
1056	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exesvchost.exe2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 236 wrote to memory of 1908	236	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2872	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 1908 wrote to memory of 2756	1908	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 2872 wrote to memory of 2088	2872	svchost.exe	mspaint.exe
PID 2872 wrote to memory of 2088	2872	svchost.exe	mspaint.exe
PID 2872 wrote to memory of 2088	2872	svchost.exe	mspaint.exe
PID 2872 wrote to memory of 2088	2872	svchost.exe	mspaint.exe
PID 2756 wrote to memory of 1712	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	iexplore.exe
PID 2756 wrote to memory of 1712	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	iexplore.exe
PID 2756 wrote to memory of 1712	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	iexplore.exe
PID 2756 wrote to memory of 1712	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	iexplore.exe
PID 1712 wrote to memory of 576	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 576	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 576	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 576	1712	iexplore.exe	IEXPLORE.EXE
PID 576 wrote to memory of 1056	576	IEXPLORE.EXE	IEXPLORE.EXE
PID 576 wrote to memory of 1056	576	IEXPLORE.EXE	IEXPLORE.EXE
PID 576 wrote to memory of 1056	576	IEXPLORE.EXE	IEXPLORE.EXE
PID 576 wrote to memory of 1056	576	IEXPLORE.EXE	IEXPLORE.EXE
PID 2756 wrote to memory of 1908	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 2756 wrote to memory of 1908	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
PID 2756 wrote to memory of 2872	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 2756 wrote to memory of 2872	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	svchost.exe
PID 2756 wrote to memory of 2088	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	mspaint.exe
PID 2756 wrote to memory of 2088	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	mspaint.exe
PID 2756 wrote to memory of 1056	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	IEXPLORE.EXE
PID 2756 wrote to memory of 1056	2756	2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\system32\mspaint.exe"
      4⤵
      Adds Run key to start application
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2088
- - C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2aca3f75294e962c8f5efab3326e9117_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:576 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b5340a1acc2abb7a482a714fef9d672

SHA1
bfef5c0c837f608df9a18e3c6ee792e9b22fe524

SHA256
80887b813af6d2533aeb165803386171b943ec66269171065cdcf98383a65e9e

SHA512
1dcc8334c578ce62e6ec1797a215809bfd5378f3dd99f88a7b2b87d21765eb9fe3f47e662b5356b6aa1a7ca8a247eaa76fbfea907e402f9c815bcd8ed22a614b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a8ae48c165001b4ddbe28977a9c8223

SHA1
f14314c9bf4766aeb505cc034b67b73c80ed8cad

SHA256
49eae469dd24da99091ba9aecf434da9597ef0bd9fbc645911d65455891bfd4a

SHA512
0b76d07fe593b3ef82261c3e588406047e25a384a3d565c16f61f842c25ed9dab98384efd3743f4b0aefd11310504eec4594f396851b233f1e253f1cd8b1289b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0878111e65294637f479bc42e679b50b

SHA1
947fb66cfcef8bd5c2db6084133aa526d1b9ccdb

SHA256
dd74fd515224bd64a18346ae855c92b6161bd94d53a522b209f5fe1b49dcccb6

SHA512
8df5d376b1cd4f40bc1feae949a0daf75c414d4a43b58573b8466c94a6c2eb0968bccfbdf7eb84243a5ffc08dfaf3ec3cbe7034c405067adfc57c1f4f3bd3b38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35c1d0afb1c0b88303d8d81bcf5db034

SHA1
d6293f45bb5f57ec13701251bddee3e13d8780ca

SHA256
992b24e46925d3798c03a681e63e7ae31dd73235e2e58fa0e1318e383d6bfc64

SHA512
93a99699a0f2b9a446da0e7e58934c9641328596c453e8bfc7bd6ec7800fceb39840dc819945fe0a8807f70b0dd9dc9787b20273a8e0f2da04d3590f9f7f23c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52d71622fab556f132e0617abbbf3d99

SHA1
899e82dd4f670e616395d993fd496aaf24239088

SHA256
19ed35f63aaffa9a72647a0cce50c6bf66e1c1a786372b94dd9d7da0dac0f178

SHA512
e674ee10aebcba36860608c6d31ef812b6c12e825045f4911e60dd7ec023958c4ccf9fd9f15e3209dc207b948c48fa7380cd3eaa1a1ca45df2a329c164f7a0b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a2e75c88ce594c9b5edcfc121bdf3fb

SHA1
5ac847777c433e50255a79b428b63aaa2f91a172

SHA256
1aaccaaeaa94ceabdcfc3c8d104e9aeb2993244daefe5def25478cf22164c4b0

SHA512
8b988d343416eb5425eb6eaa9d47cf54e8d8a8185e020da695015ade3de3897236d31a086eca6e11f90920dbf17eb3f54dc9733fe5401b47a0c93354bd291a7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca178a56e3d0ef47b2f0b3aeea3fd260

SHA1
dbe3f862e564becaa219c2ba9ca08c0bc74d1f0a

SHA256
1f7cd5a17c2479cd5deee19f3b35c6c4ee2eb10e731dabf2c203f8d8bcc1fbc2

SHA512
0d80bea1f675df8235c49b6a0c2b76147401d294fef01ba7335a934affdd313157d2393ffd9aad07c43925987ef61d755b1335f0a77cf4b023eddcdc385aac5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48be04632687118cccf5cd6287f633c7

SHA1
0efa03f448db6e4867a0f29053f6602a2f291815

SHA256
899919120ddb01e0353c2c09fb16566a944fd1d21aace94253489155b9731051

SHA512
f71abbb2d3aea4278a21d781e10cba878e62443b46fcca8a69f73b1bef60d49c3c55e6221f28f872281896e2012dc9d3f26eded60a089089c33d900c129a44ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d3764363a1dafe7bfb5ee11ccc49f39

SHA1
1c4b9ac4e46c3337323662e3db3550c72745362d

SHA256
7a39fcae3bded384a725029bb0c2b561cd331f2cc77dc54dff05c5184d67fa5f

SHA512
7d0cc665ed92954145b6dac156542a182dc08f8462eade92ca072640518797306fc223da8bc4404455c6475cc5f15057f67e0df7a8b3c0f282cbcff1e22debfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
910fb04c44df8e6b37c3560e21776d6e

SHA1
d2e8f935ff2546293b6808b685995f5f0f834055

SHA256
0170b389b9cbe7a862ea6813eb2fa1d6fd11c5874b1e185c6b98cda8aac1e85a

SHA512
b5ea73d5a1f4bba6358e5726857c3470146b6a3b0791dd456167b5bd9f387c2fc55dbc60964eea55e529bbf66acf0d74d1ac4f642272bf15564dbe6708b46c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c72ebb56d26ead9cd8e0cbeaa819657a

SHA1
eb3ebfb0ac8e10d6fe3dbdb0282ffb2ea3abeb36

SHA256
6969a447b0ca19694a503b05982e95167b43be6b0259609007215acbe6747156

SHA512
443791477a348c018564dbb09162a48456048d66e7782af09829df48f29b2ca975792f209765a86ab7a28141493ae29ea68dbbed9c334da7f2bc1627503d4931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef831fb6aeafca8ddc2b0295cd1d81cb

SHA1
8d2aae71dfb47d7aa6ed7609c3a3fff0d5561ced

SHA256
360fafba03a8af4c1ff1d3a6f0694b6f65d3635e4f171270f281f3610e5592fd

SHA512
5a1bfad845bebbddb41a111b677eb48b7a811215e87a11d8410f5c5d3501059d204a7b291ea576f4245f39a0cbffa4570831ccf614d64312b777dee414c9632e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58fafa63022872b18447ec062d1f7661

SHA1
cbfd2ee07e3c3eb4bd60b4aec2847ee9c8567a87

SHA256
96f76eeb827d82b2eb28ef64dfdad82c303d776a9cb89fa80ef0cbed8e7792fb

SHA512
cddc1e60942c8be67c7015faa555dc8691f5aa888d7a76988d2e3abfd1ede518f97b1b5e44f79c7deef1f58eb02f27494f39ea9cb6f0d2fc39528f6519ca4c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12cc329e7c2f9d0e566a8e2446c68da8

SHA1
27f039e6de02b84d91af703eb12457b284b402aa

SHA256
28a1b4aacf2835dd2ac0fbc1e0094234cf7bb00b064bcdc823334bddeb162784

SHA512
b4ba0cfcf58ab9d4135fe38dc99a4eedbf96861221cadb871691ac0ce3330e8a57343f104ae29b2ba403e867311e717fd4e27d9c4ad03c73ae9f7b288ad01715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f281e07d832c0587acdefe71f040453e

SHA1
c9981cb7ba6a4b1ac7664fa41ef9a2f3bb666ce9

SHA256
aab0cb49bca90224dd0fe694ba3ecc5ef6f6c154dae896ac8ffe7813e6c1e0b0

SHA512
6201574adf13a9dc556699f799232848d2aab464a91b368cde45967c98475decd3d66aa600ae3e7ad89d34b6acac31cba5bb85dd5a0ff0999479ce5c8bc6b31f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
286034def3c18696cf8fcebe44089374

SHA1
83884c1871287d2a44065db7c7ed252d9c1f5b4c

SHA256
8208c7e82eb4d24744deabb6397a6e68b118da19e81b2316fbe0032634923293

SHA512
c3df499b31b3422181a021b4f4252dd9764b5be81dc7278a1819b9cc61989bfa7623a7699ae7e87b86e948874a621f43d86757203a67d65d0a99373b30fc1203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eca4f514d72544cbe08e1ff9d7b1820

SHA1
74a01514246db44529a7ecf78d171e2eea7c8a04

SHA256
1558278cc162172f07e6f5e39836e0fe1674287642ee636246107100192002ca

SHA512
2e975c01004a3933e42a1a82816d72a83f407d5b69db5f72e062f1661f88b4fd601987448e48098c586369702d0c48ad44039294863c13d4141b17cfb46764dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79af8d3c6346c86b3f77c92b3a62681a

SHA1
5629859491029e7eccfc89fd31ca508b5eb687ba

SHA256
64338b14654ddc924c3cfe0475bade7394ce126731a09ffb613aef4d984c58b9

SHA512
04c35c0a030b7336c8f973c9567ef955f245f767a4d97a4fe06d2c89ad841b5f9085c000f021bb7361b6e5af8c4381bb9c547475d5ae10cc51fe536553cadf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabECA3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarECF4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1908-50-0x0000000000060000-0x00000000000AE000-memory.dmp

Filesize
312KB

Download
memory/1908-6-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-2-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-24-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-4-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-67-0x0000000000060000-0x00000000000AE000-memory.dmp

Filesize
312KB

Download
memory/1908-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-15-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-8-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-37-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1908-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2088-65-0x0000000004320000-0x000000000436E000-memory.dmp

Filesize
312KB

Download
memory/2756-33-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-27-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-60-0x0000000000840000-0x000000000088E000-memory.dmp

Filesize
312KB

Download
memory/2756-42-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-39-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-31-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-29-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-36-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-25-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2872-43-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2872-23-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2872-21-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2872-20-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/2872-55-0x0000000000360000-0x00000000003AE000-memory.dmp

Filesize
312KB

Download