0622156672128934ab17a1c63221a5b2011e22318f25609d0cc5f442e1743dc1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 09:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Size

1.6MB
MD5

2ec55ecdc4a32ad646c2ad1eb09c9bca
SHA1

27d883703e3035f72ea808502cec36f5ee22c381
SHA256

0622156672128934ab17a1c63221a5b2011e22318f25609d0cc5f442e1743dc1
SHA512

3d4a62cd8808cf201d6dd3aee25c18487588b8b2becc90468c96cf124246c4b07ba21a854e2f9c74d4e8988e3127d1390eb4c186c3f911248bded48559475bc7
SSDEEP

24576:OPHnNEK7vaXDgPdVLsMPo1n07+atcoi5i26SNGrqfcEy076CqPBfO7XZQDVeXs:qNUgPdVLFwB0Pt5ov6+fCK6CMteqP

Score

9^/10

collection credential_access discovery spyware stealer upx

Malware Config

Signatures

Detected Nirsoft tools 8 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0008000000017520-15.dat	Nirsoft
behavioral1/memory/2740-25-0x0000000000400000-0x0000000000416000-memory.dmp	Nirsoft
behavioral1/memory/2632-35-0x0000000000400000-0x000000000041D000-memory.dmp	Nirsoft
behavioral1/memory/2728-46-0x0000000000400000-0x0000000000423000-memory.dmp	Nirsoft
behavioral1/memory/1420-51-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/memory/1420-56-0x0000000000400000-0x0000000000419000-memory.dmp	Nirsoft
behavioral1/files/0x0005000000019cd5-60.dat	Nirsoft
behavioral1/memory/2668-91-0x00000000005E0000-0x0000000000603000-memory.dmp	Nirsoft

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2632-35-0x0000000000400000-0x000000000041D000-memory.dmp	MailPassView
behavioral1/memory/2668-91-0x00000000005E0000-0x0000000000603000-memory.dmp	MailPassView

Executes dropped EXE 8 IoCs

pid	Process
2592	dialupass.exe
2740	ie.exe
2632	mailpv.exe
2728	mspass.exe
1420	netpass.exe
2500	pspv.exe
2956	steam.exe
1316	steam.exe

Loads dropped DLL 4 IoCs

pid	Process
2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	mailpv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSINET.ocx	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2956 set thread context of 1316	2956	steam.exe	38

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018741-21.dat	upx
behavioral1/memory/2740-24-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2740-25-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2668-28-0x0000000000320000-0x000000000033D000-memory.dmp	upx
behavioral1/files/0x000700000001907c-31.dat	upx
behavioral1/memory/2632-35-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2668-39-0x00000000005E0000-0x0000000000603000-memory.dmp	upx
behavioral1/files/0x000700000001919c-42.dat	upx
behavioral1/memory/2728-45-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2668-38-0x0000000000320000-0x0000000000336000-memory.dmp	upx
behavioral1/memory/2728-46-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0005000000019bf2-50.dat	upx
behavioral1/memory/1420-51-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1420-56-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/1316-74-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral1/memory/1316-85-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral1/memory/1316-76-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral1/memory/1316-81-0x0000000000400000-0x000000000078F000-memory.dmp	upx
behavioral1/memory/1316-72-0x0000000000400000-0x000000000078F000-memory.dmp	upx

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\netpass.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File opened for modification	C:\Windows\dialupass.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File created	C:\Windows\dialup.txt	dialupass.exe
File opened for modification	C:\Windows\ie.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File opened for modification	C:\Windows\mailpv.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File created	C:\Windows\mailpv.txt	mailpv.exe
File opened for modification	C:\Windows\pspv.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File opened for modification	C:\Windows\steam.txt	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File opened for modification	C:\Windows\mspass.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File created	C:\Windows\pspv.txt	pspv.exe
File opened for modification	C:\Windows\steam.exe	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
File opened for modification	C:\Windows\steam.exe	steam.exe
File opened for modification	C:\Windows\dialup.txt	dialupass.exe
File created	C:\Windows\ie.txt	ie.exe
File created	C:\Windows\mspass.txt	mspass.exe
File created	C:\Windows\netpass.txt	netpass.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialupass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mailpv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netpass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pspv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ThreadingModel = "Apartment"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msinet.ocx"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\msinet.ocx"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\msinet.ocx"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\ = "0"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\msinet.ocx, 1"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Programmable	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object"	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	ie.exe
Token: SeDebugPrivilege	2728	mspass.exe
Token: SeDebugPrivilege	1420	netpass.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
2956	steam.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2592	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2592	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2592	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2592	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2740	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2740	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2740	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2740	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2632	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2632	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2632	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2632	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2728	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2728	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2728	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	34
PID 2668 wrote to memory of 2728	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	34
PID 2668 wrote to memory of 1420	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	35
PID 2668 wrote to memory of 1420	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	35
PID 2668 wrote to memory of 1420	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	35
PID 2668 wrote to memory of 1420	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2500	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2500	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2500	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2500	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	36
PID 2668 wrote to memory of 2956	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2956	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2956	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	37
PID 2668 wrote to memory of 2956	2668	2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe	37
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38
PID 2956 wrote to memory of 1316	2956	steam.exe	38

C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\dialupass.exe
  C:\Windows\dialupass.exe /stext C:\Windows\dialup.txt
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2592
- C:\Windows\ie.exe
  C:\Windows\ie.exe /stext C:\Windows\ie.txt
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\mailpv.exe
  C:\Windows\mailpv.exe /stext C:\Windows\mailpv.txt
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook accounts
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2632
- C:\Windows\mspass.exe
  C:\Windows\mspass.exe /stext C:\Windows\mspass.txt
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\netpass.exe
  C:\Windows\netpass.exe /stext C:\Windows\netpass.txt
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\pspv.exe
  C:\Windows\pspv.exe /stext C:\Windows\pspv.txt
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2500
- C:\Windows\steam.exe
  C:\Windows\steam.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\steam.exe
    C:\Windows\steam.exe
    3⤵
    - Executes dropped EXE
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\dialupass.exe

Filesize
75KB

MD5
d4292602e6d519e75ca60db02cbe0a43

SHA1
8cf54e9e5e3c7b904c8c796a9e2de38b988e747a

SHA256
fc1bc82ad3fb64775ce9abd481f58efd58c7b0a8e017efe6b52067c578919a51

SHA512
c4801bb034a8a8794546c73cbfebce220a2486675abd3e825f36665deaf28e4213aa1932778e27492949e1c68e4b61f6f9d4efcaaa58e7d62c3c728f277e7922

Download Submit
C:\Windows\ie.exe

Filesize
35KB

MD5
65d23deb0b50875d9105cc3e595c7022

SHA1
b120f97a351346ed911bfed78a45a6c6e436a74e

SHA256
8b326947cccf08a939f0569f58d3711ec168e7321a23f74275508cfffd4acd3d

SHA512
18f3a15eb2c00927958f5d8bd709eea168cff92909d0aca0795864016dcd5640d4f85ad9ee55adad4db710feff7479c0755f4001978c62659f6567ebc54c8872

Download Submit
C:\Windows\mailpv.exe

Filesize
46KB

MD5
6f2c09baafc0d31f1ce0994f8f2d5048

SHA1
84573202cf87bbc995bb43be4b5cb41434aab059

SHA256
3098abdb835e9b266dad36173c20572edc44cd21501607622eb548787b3d54f5

SHA512
74bc6ab413d493d5210f7e7980bf2a020c3fed2fd2bafdb6563d041840550410db68bdf267576cacc5bc677f490f8d9189148ea87301777b56a9dd4ef1d749ae

Download Submit
C:\Windows\mspass.exe

Filesize
58KB

MD5
7cfb71efaa32f1fb654517aa1f4812f2

SHA1
b603236f708f15ac037ab2ddaf794c643482a873

SHA256
c2af90d91be1fee339be6e1fd60ce293e72cf6231b25dc29b67648fc3d046322

SHA512
5a6c1be82cc5f1f4de519bbfb7dc24adaa60493a8e8310be74803c3f0d98451345e6fbe8fdaa3da480c687d53dcf2b01d54ce96a2c519f3539e4be9465cdd636

Download Submit
C:\Windows\netpass.exe

Filesize
37KB

MD5
22f0f0aa39ff8dbcd3973c58ce7cc2c6

SHA1
f0ad2f34164702711fd73bdb6c2d870e0c8ab9f8

SHA256
aeecd4e8fc92ae0aa8d915d775aa872a7c4487420aabed7b6e27a762572eae92

SHA512
9387da7e7aa9ecb41bc096edd70fbaca8b398de318f98972dee2765d311502b687f2c364ff0ae20a2e60d568bdaf7bacb34e73b6dec0a9edf97b2a6366c478b0

Download Submit
C:\Windows\netpass.txt

Filesize
316B

MD5
d40c1a74c948b827e52e7c7579ffecd6

SHA1
f41bdb3e45e46e6feff3953bfe5ea30f61bc844e

SHA256
cdfeda58b8a72e1343abca1599cb8102ebb67352858828a33ea13c641854bdd3

SHA512
0c7a167351c7f636284f0f8d391e43d6d3f4fa3bf3017c36b4264f175a6551f59ae0a250b978424543ffb4365457a94ff567b1b9ed2d2884076215ac3f9b7a23

Download Submit
C:\Windows\pspv.exe

Filesize
51KB

MD5
35861f4ea9a8ecb6c357bdb91b7df804

SHA1
836cb49c8d08d5e305ab8976f653b97f1edba245

SHA256
64788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c

SHA512
0fdfe62c86c8601bb98991149eea51ddf91b812ad2c2d45e53aaf1f36a09d00aaf02fc3d183179cf5367fda09d6f62d36c0187da2dfa5e08df4c07cf634690be

Download Submit
C:\Windows\steam.exe

Filesize
1.1MB

MD5
6ebdb72e7d7cc9a2f2931b2fb9b6e0ac

SHA1
333940eaa283d43f4de53fe339ecc02817e5778f

SHA256
39652b161be02bf9271178edf74db8fa0e42d677e95cf0cb6ce1d148a338fe9d

SHA512
79c4aa94e8971e3c0d545c87804cc8b444d9323ab5d7da53769d327c6d0b70833630844bb8a48d233a35a219c00f9817632f8d2152637b1ecf1924325fab54c9

Download Submit
C:\err_log.txt

Filesize
52B

MD5
6b3037dce73d1bd5b0c40dbc5f652249

SHA1
208a5e00829f9edcc6795f55b3bc1b2eb8941ab6

SHA256
8d039fe1dfda015aeb0c328dd04daddcc5c2f1b057cb16ad40d1e37a107da311

SHA512
eac0b7c94fae647e7e201d5ea99dba9805a51a477624ec704917eeea95ebc7d39bd36953bf08b9185393683cd5c3f1267b7cead0b3b3fbfc48ec88fbb3b4256e

Download Submit
\Windows\SysWOW64\MSINET.ocx

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
memory/1316-71-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1316-85-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1316-74-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1316-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1316-76-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1316-81-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1316-72-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1420-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1420-51-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2632-35-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2668-33-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2668-28-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2668-93-0x0000000000320000-0x0000000000339000-memory.dmp

Filesize
100KB

Download
memory/2668-38-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2668-43-0x00000000005E0000-0x0000000000603000-memory.dmp

Filesize
140KB

Download
memory/2668-92-0x00000000005E0000-0x0000000000603000-memory.dmp

Filesize
140KB

Download
memory/2668-39-0x00000000005E0000-0x0000000000603000-memory.dmp

Filesize
140KB

Download
memory/2668-52-0x0000000000320000-0x0000000000339000-memory.dmp

Filesize
100KB

Download
memory/2668-91-0x00000000005E0000-0x0000000000603000-memory.dmp

Filesize
140KB

Download
memory/2668-18-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2668-22-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/2668-90-0x0000000000320000-0x000000000033D000-memory.dmp

Filesize
116KB

Download
memory/2728-45-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2728-46-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2740-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2740-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download