Analysis
-
max time kernel
94s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
2ec55ecdc4a32ad646c2ad1eb09c9bca
-
SHA1
27d883703e3035f72ea808502cec36f5ee22c381
-
SHA256
0622156672128934ab17a1c63221a5b2011e22318f25609d0cc5f442e1743dc1
-
SHA512
3d4a62cd8808cf201d6dd3aee25c18487588b8b2becc90468c96cf124246c4b07ba21a854e2f9c74d4e8988e3127d1390eb4c186c3f911248bded48559475bc7
-
SSDEEP
24576:OPHnNEK7vaXDgPdVLsMPo1n07+atcoi5i26SNGrqfcEy076CqPBfO7XZQDVeXs:qNUgPdVLFwB0Pt5ov6+fCK6CMteqP
Malware Config
Signatures
-
Detected Nirsoft tools 6 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/files/0x0008000000023ca5-15.dat Nirsoft behavioral2/memory/4564-22-0x0000000000400000-0x0000000000416000-memory.dmp Nirsoft behavioral2/memory/60-35-0x0000000000400000-0x0000000000423000-memory.dmp Nirsoft behavioral2/memory/4540-29-0x0000000000400000-0x000000000041D000-memory.dmp Nirsoft behavioral2/memory/2864-43-0x0000000000400000-0x0000000000419000-memory.dmp Nirsoft behavioral2/files/0x0007000000023caf-45.dat Nirsoft -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4540-29-0x0000000000400000-0x000000000041D000-memory.dmp MailPassView -
Executes dropped EXE 8 IoCs
pid Process 2244 dialupass.exe 4564 ie.exe 4540 mailpv.exe 60 mspass.exe 2864 netpass.exe 3472 pspv.exe 2560 steam.exe 2220 steam.exe -
Loads dropped DLL 2 IoCs
pid Process 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts mailpv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSINET.ocx 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2560 set thread context of 2220 2560 steam.exe 95 -
resource yara_rule behavioral2/files/0x0007000000023ca7-18.dat upx behavioral2/memory/4564-19-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4540-25-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/files/0x0007000000023ca9-24.dat upx behavioral2/memory/4564-22-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/files/0x0007000000023cab-31.dat upx behavioral2/memory/60-33-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/60-35-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2864-38-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/files/0x0007000000023cad-37.dat upx behavioral2/memory/4540-29-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral2/memory/2864-43-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/2220-55-0x0000000000400000-0x000000000078F000-memory.dmp upx behavioral2/memory/2220-53-0x0000000000400000-0x000000000078F000-memory.dmp upx behavioral2/memory/2220-62-0x0000000000400000-0x000000000078F000-memory.dmp upx behavioral2/memory/2220-59-0x0000000000400000-0x000000000078F000-memory.dmp upx behavioral2/memory/2220-54-0x0000000000400000-0x000000000078F000-memory.dmp upx -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\steam.txt 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File created C:\Windows\dialup.txt dialupass.exe File opened for modification C:\Windows\mspass.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File opened for modification C:\Windows\steam.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File opened for modification C:\Windows\steam.exe steam.exe File opened for modification C:\Windows\pspv.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File created C:\Windows\pspv.txt pspv.exe File opened for modification C:\Windows\dialupass.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File opened for modification C:\Windows\mailpv.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File created C:\Windows\mspass.txt mspass.exe File opened for modification C:\Windows\netpass.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File created C:\Windows\netpass.txt netpass.exe File opened for modification C:\Windows\dialup.txt dialupass.exe File opened for modification C:\Windows\ie.exe 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe File created C:\Windows\ie.txt ie.exe File created C:\Windows\mailpv.txt mailpv.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language steam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialupass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mailpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mspass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netpass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pspv.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR\ 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\msinet.ocx" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ProgID\ = "InetCtls.Inet.1" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Version\ = "1.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\msinet.ocx" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\InprocServer32\ = "C:\\Windows\\SysWow64\\msinet.ocx" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\HELPDIR 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1\ = "132497" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59294-9880-11CF-9754-00AA00C00908}\ = "Internet Control General Property Page Object" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\CurVer\ = "InetCtls.Inet.1" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ = "DInetEvents" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0\win32 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}" 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 60 mspass.exe 60 mspass.exe 2864 netpass.exe 2864 netpass.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4564 ie.exe Token: SeDebugPrivilege 60 mspass.exe Token: SeDebugPrivilege 2864 netpass.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 2560 steam.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3620 wrote to memory of 2244 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 87 PID 3620 wrote to memory of 2244 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 87 PID 3620 wrote to memory of 2244 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 87 PID 3620 wrote to memory of 4564 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 88 PID 3620 wrote to memory of 4564 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 88 PID 3620 wrote to memory of 4564 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 88 PID 3620 wrote to memory of 4540 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 89 PID 3620 wrote to memory of 4540 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 89 PID 3620 wrote to memory of 4540 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 89 PID 3620 wrote to memory of 60 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 91 PID 3620 wrote to memory of 60 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 91 PID 3620 wrote to memory of 60 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 91 PID 3620 wrote to memory of 2864 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 92 PID 3620 wrote to memory of 2864 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 92 PID 3620 wrote to memory of 2864 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 92 PID 3620 wrote to memory of 3472 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 93 PID 3620 wrote to memory of 3472 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 93 PID 3620 wrote to memory of 3472 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 93 PID 3620 wrote to memory of 2560 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 94 PID 3620 wrote to memory of 2560 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 94 PID 3620 wrote to memory of 2560 3620 2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe 94 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95 PID 2560 wrote to memory of 2220 2560 steam.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\dialupass.exeC:\Windows\dialupass.exe /stext C:\Windows\dialup.txt2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2244
-
-
C:\Windows\ie.exeC:\Windows\ie.exe /stext C:\Windows\ie.txt2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\mailpv.exeC:\Windows\mailpv.exe /stext C:\Windows\mailpv.txt2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\mspass.exeC:\Windows\mspass.exe /stext C:\Windows\mspass.txt2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\netpass.exeC:\Windows\netpass.exe /stext C:\Windows\netpass.txt2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
C:\Windows\pspv.exeC:\Windows\pspv.exe /stext C:\Windows\pspv.txt2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\steam.exeC:\Windows\steam.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\steam.exeC:\Windows\steam.exe3⤵
- Executes dropped EXE
PID:2220
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\2ec55ecdc4a32ad646c2ad1eb09c9bca_JaffaCakes118.exe"1⤵
- Modifies registry class
PID:3716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112KB
MD57bec181a21753498b6bd001c42a42722
SHA13249f233657dc66632c0539c47895bfcee5770cc
SHA25673da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31
SHA512d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc
-
Filesize
75KB
MD5d4292602e6d519e75ca60db02cbe0a43
SHA18cf54e9e5e3c7b904c8c796a9e2de38b988e747a
SHA256fc1bc82ad3fb64775ce9abd481f58efd58c7b0a8e017efe6b52067c578919a51
SHA512c4801bb034a8a8794546c73cbfebce220a2486675abd3e825f36665deaf28e4213aa1932778e27492949e1c68e4b61f6f9d4efcaaa58e7d62c3c728f277e7922
-
Filesize
35KB
MD565d23deb0b50875d9105cc3e595c7022
SHA1b120f97a351346ed911bfed78a45a6c6e436a74e
SHA2568b326947cccf08a939f0569f58d3711ec168e7321a23f74275508cfffd4acd3d
SHA51218f3a15eb2c00927958f5d8bd709eea168cff92909d0aca0795864016dcd5640d4f85ad9ee55adad4db710feff7479c0755f4001978c62659f6567ebc54c8872
-
Filesize
46KB
MD56f2c09baafc0d31f1ce0994f8f2d5048
SHA184573202cf87bbc995bb43be4b5cb41434aab059
SHA2563098abdb835e9b266dad36173c20572edc44cd21501607622eb548787b3d54f5
SHA51274bc6ab413d493d5210f7e7980bf2a020c3fed2fd2bafdb6563d041840550410db68bdf267576cacc5bc677f490f8d9189148ea87301777b56a9dd4ef1d749ae
-
Filesize
58KB
MD57cfb71efaa32f1fb654517aa1f4812f2
SHA1b603236f708f15ac037ab2ddaf794c643482a873
SHA256c2af90d91be1fee339be6e1fd60ce293e72cf6231b25dc29b67648fc3d046322
SHA5125a6c1be82cc5f1f4de519bbfb7dc24adaa60493a8e8310be74803c3f0d98451345e6fbe8fdaa3da480c687d53dcf2b01d54ce96a2c519f3539e4be9465cdd636
-
Filesize
37KB
MD522f0f0aa39ff8dbcd3973c58ce7cc2c6
SHA1f0ad2f34164702711fd73bdb6c2d870e0c8ab9f8
SHA256aeecd4e8fc92ae0aa8d915d775aa872a7c4487420aabed7b6e27a762572eae92
SHA5129387da7e7aa9ecb41bc096edd70fbaca8b398de318f98972dee2765d311502b687f2c364ff0ae20a2e60d568bdaf7bacb34e73b6dec0a9edf97b2a6366c478b0
-
Filesize
316B
MD5f57557de47e278bd0f0686a2259077d5
SHA1a1f822c59aaf180eb955a3ddba69e9a2e0dd7df1
SHA256ebe7e845bd297f04ef1d1bebd5ad9f5cb06c381345188640673f9bbf73043b83
SHA512026266c79f5bb9aeca49d050679a0b1e362aba8e754570005fe35f51f4cfbadf909bd920f1a3771444be43a76ce639ebde5aa849b6093e667d68b88f9e8db564
-
Filesize
51KB
MD535861f4ea9a8ecb6c357bdb91b7df804
SHA1836cb49c8d08d5e305ab8976f653b97f1edba245
SHA25664788b6f74875aed53ca80669b06f407e132d7be49586925dbb3dcde56cbca9c
SHA5120fdfe62c86c8601bb98991149eea51ddf91b812ad2c2d45e53aaf1f36a09d00aaf02fc3d183179cf5367fda09d6f62d36c0187da2dfa5e08df4c07cf634690be
-
Filesize
1.1MB
MD56ebdb72e7d7cc9a2f2931b2fb9b6e0ac
SHA1333940eaa283d43f4de53fe339ecc02817e5778f
SHA25639652b161be02bf9271178edf74db8fa0e42d677e95cf0cb6ce1d148a338fe9d
SHA51279c4aa94e8971e3c0d545c87804cc8b444d9323ab5d7da53769d327c6d0b70833630844bb8a48d233a35a219c00f9817632f8d2152637b1ecf1924325fab54c9
-
Filesize
52B
MD56b3037dce73d1bd5b0c40dbc5f652249
SHA1208a5e00829f9edcc6795f55b3bc1b2eb8941ab6
SHA2568d039fe1dfda015aeb0c328dd04daddcc5c2f1b057cb16ad40d1e37a107da311
SHA512eac0b7c94fae647e7e201d5ea99dba9805a51a477624ec704917eeea95ebc7d39bd36953bf08b9185393683cd5c3f1267b7cead0b3b3fbfc48ec88fbb3b4256e