cf1399c3d0353a89a688f2241c81729ccddb5e445205abe8721b62940dccccb2

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Size

303KB
MD5

2f05f7d1ad04c1ab3a71b5f7d30df4fa
SHA1

1bf10faa5af0efe5473d53a6a6f78a46cfd7e256
SHA256

cf1399c3d0353a89a688f2241c81729ccddb5e445205abe8721b62940dccccb2
SHA512

4e54be1f16746298504784cc88ccffba84f62fb3b57e432000c8657141480ffb27711d9e5da5c0cbdcba76cf5d06afb096545ccd229ab8d43441c5e964d79d68
SSDEEP

6144:X26oGcFo42LAgV8LLyrTEzh98wNry/fn:yGcyLAgVOhw

Score

7^/10

credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2436	mscorsvw.exe
2996	mscorsvw.exe
1668	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3434294380-2554721341-1919518612-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3434294380-2554721341-1919518612-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\T:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\H:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\L:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\Z:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\O:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\Q:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\V:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\W:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\Y:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE
File opened (read-only)	\??\J:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\M:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\S:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\I:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\X:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\E:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\U:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\K:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\N:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\P:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\R:	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\S:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\searchindexer.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\dllhost.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	OSE.EXE
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06F94B3F-CB3A-4D0D-9255-EDF0828B6421}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{06F94B3F-CB3A-4D0D-9255-EDF0828B6421}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server\ = "sndrec32.exe"	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server\ = "sndrec32.exe"	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE
1668	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2568	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	OSE.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2568	2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2f05f7d1ad04c1ab3a71b5f7d30df4fa_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
284KB

MD5
e439430997faf032bb90db4cb3cfb85d

SHA1
f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

SHA256
d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

SHA512
98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
8174bc516ba6943da8e0f2daec453f27

SHA1
414db3d2b6875d529a290517033fbf8002a4b319

SHA256
f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

SHA512
a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
284KB

MD5
e7aa3cbab6f5539c8398e411583a9973

SHA1
9afd2c40183a88498071ba8bfc75706203456163

SHA256
a75262990a6bfe395c57a37995cb729c21176048e1edd4e94a3f7ea54bf7b743

SHA512
6ccbb0fbdb72b2707252f611eb4c7b18cfc1a662910e0b330f48fc493d2fce17ad74f19ea8286636d78716829bd04419205e9bdb98ddced4c6f9eb4bdb18f9c6

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
203KB

MD5
13e00861f4edeacaee0c0f9cd2f5fddc

SHA1
de7b1810f95e8ac9671c845d2213eb63999714d2

SHA256
519e0208af25b92bde2997b011bb40c096429ec40784ff5c532830c5edad6964

SHA512
62863188dd585a8aac77eed7ae115a447180ff8695b449f2a7c47c8796b60144465fa760c17b27a53234c6a95fa949865d4ff5c1d1a60fbe46eeeb799234265c

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
473dcb4a9d0b96d33dcd6c57f37cd74c

SHA1
439ee2a1a1849431f7a2fc7a694721edcd2815ed

SHA256
85790ce46661384c5a37eaca4bb2d7c9cad6e9205c29b95d2ff2f6b95e30b16d

SHA512
f89a220a71bc0811411c2f68f393c2789af79c42cdeef75893755ec050f320bbef0fbee565944a47a5ec2bbf1e3a49e17625004f2653dc667686b8c70474d6ff

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
234KB

MD5
fae9455638637bb5e11f261b6283e1f3

SHA1
2a7fff617ec38d40f294f79f7f6a2ac2d1f310ec

SHA256
c1f4d05245d8ccceba04373c6f4e86535b6836fdeb60936b826e3dabc57101e9

SHA512
69b12aee8ec86a4c0f6803ed768134f2600bb6f09d9c8aefb86423fe1102560c592bb8883f120434fd65085750bc528745a94b989744c374582e504f9949d28b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
30b8b179e7b07beca51e98cfb19f3d5c

SHA1
f6fc6ea9761700a90c2fe3570e7d13cc65dd8190

SHA256
d33f43f53a6f7fe147b0050aaeac9382429b770da19fc33b2a6fdd64b34a6112

SHA512
2c4c425febca8c3e181bcd69b76c4ee79a5bb0f1874fc621bc43d03e8f47c06d4a72f05a8e7fc389a675aaa20f343102db6f4f0a18b94ad3d7a63c9c306e1eea

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
562KB

MD5
b1c233cf1a8310b5acbd48129ff52ab2

SHA1
531a22abb505613789d387bce75bd0f0741cc385

SHA256
4c1026cfb44c2b14e7fb64947ad559875335896866db9693c9d35fea78529b5f

SHA512
aba8576174bcb12757481813a4e50d3b127d629b642c461ddcb555173cc407f8f4f3dda055d01aa83b570d2f712429facb25fcfe6bf490cfae6a7a1f827b70e5

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
164KB

MD5
95bb49225773ebb857c48fea3aa0fb4d

SHA1
4d230cfc577221320ca0aa56f0ff89a46c3328d8

SHA256
6fa3aed60fdba8994aa99351194f7bc80d4ceb83b898f5440d9205549ad6c819

SHA512
9c84fe95ce65be1f56fca869241bce97ae574ed9cf905ba3205fdc56c30efb56be338ada0b08f3ebab38ba8ed144b5f74ae436952365eebbe09560e01384e41d

Download Submit
memory/1668-46-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download
memory/1668-45-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/1668-75-0x000000002E000000-0x000000002E086000-memory.dmp

Filesize
536KB

Download
memory/2436-31-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2436-14-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2436-13-0x0000000010000000-0x0000000010070000-memory.dmp

Filesize
448KB

Download
memory/2568-0-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download
memory/2568-2-0x0000000001000000-0x000000000108A000-memory.dmp

Filesize
552KB

Download
memory/2568-1-0x000000000100E000-0x000000000100F000-memory.dmp

Filesize
4KB

Download
memory/2996-25-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download