Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
-
Size
12KB
-
MD5
42ec8922736e487598a628cbe2b12efb
-
SHA1
6989e3e0e5379efd5372187b35b5728c5ecf20b0
-
SHA256
e1084b11b372b79a666fce8568900f6e487de29866b7747ea13a37a75b081065
-
SHA512
3cb47e7c28fb281783660ec4c0c0b3e32fc794045f17a86efe4e125ba3a024247ee582769ed898060675253dbfca83108b0dadd485fa5bf528246a433170bc5e
-
SSDEEP
384:J0KjMB9JTUA0IKHpj8s8XH0grR0E/5i5:FjMyPIGjAHlC5
Malware Config
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_Hazafibb = "C:\\Windows\\system32\\brdwgtet.exe" 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\brdwgtet.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dhiozppy.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\vmxxrtxw.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\irvclfil.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\otaoztqm.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ahjqutqu.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\wruyszml.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ntippcwi.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\brdwgtet.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\sitqvyud.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fqwpaiff.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bdteitrl.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\shared\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\DVD Maker\Shared\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\facebook.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435082478" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FBCA571-8A43-11EF-B5A6-7A9F8CACAEA3} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f5420000000002000000000010660000000100002000000087373c4a4e5f71f21043fb1e3d7c279b4f315f5d68688d7250412e3d6f5bbc3c000000000e80000000020000200000007297a8e8ab72a6b7f0d2d2bbc8b003a97cefd84f9ee30bb51e7dc5e6146e94469000000089bc290b6de5365704d28a685c065792f0fb9b14942d05ab03decb5213b346f72b3eda11ef8b3275d41c758e26a96c650ddef01f56f7493da8a8d223b45eff11d23d2fb4091df53d79b44df1fbc5bd26229331265b09f187be2bf5a27d33fcade5064b35040d2104ad15323233fabee5080bd6c443bc9c53deb9a659e1ded860f35a9ab8e2d57bd5266fdb7dfbc2364d40000000e7655d6fd96be965782e43b9dd996f1759915d540dcd788cc4e07b1a776c34c1b7d7b20ea2ff8458fb5ae0ed4693bd2e43b7da417dfa765d467a141b64c9e542 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f542000000000200000000001066000000010000200000000bec9209f365059d4a0eb1f137c61efab48b3d358230ed617f82107dba942bd3000000000e8000000002000020000000445a9fd2ffcee748d1678449a826044931a79ead86fc2b42ccce4910e03d235820000000cef28fe184ee6e5228fd1943769482df6d5cdab6fc492486790a015c22ec2eba40000000f9966908d2f77ebc266dc2c66bd451773dce883dac8b4f0c132f29b9052c5e030ba25412dce0bde35f29d2a66c077d8926612fae4f1d5213d32cc52ef9b18874 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302ce5e64f1edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DOMStorage\facebook.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2540 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2540 iexplore.exe 2540 iexplore.exe 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2540 2112 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2540 2112 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2540 2112 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 30 PID 2112 wrote to memory of 2540 2112 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 30 PID 2540 wrote to memory of 2548 2540 iexplore.exe 31 PID 2540 wrote to memory of 2548 2540 iexplore.exe 31 PID 2540 wrote to memory of 2548 2540 iexplore.exe 31 PID 2540 wrote to memory of 2548 2540 iexplore.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5769c960c39fd34cc6c4805c41617f234
SHA159b9185e0dbcd4071dfa826ce2eabdbdf5d32d72
SHA256cb4a9e4b3c85476b27983bc8d4e5ac11e2a4dae461be01bd9a8635c74a024bd6
SHA512df5311867f620d4ad006ab7dc36acd891ae382a6fda7178c98347ade6c99e772fa98babb1e5d83909bd22560aaa727f44cfadf5107a3f9bfa1df2dd8e8b206bd
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD552b249fce18ecad5e7446ad76eb5769b
SHA1a4bbf8b2449bc38d768b357a3b07db9f766716c0
SHA256bcd953fbc1fbdf36317e33f8906de0abdb3e360a4ef75546a0cf97eb7b00dcbd
SHA512a0b01bca6e55939cb378024f1f74ea06a3518da8f6da7395ce8a0f452ca55c9549fca41a59a43d3c1f94c85929dd41a2be3f0e90dd6f85dc1f694858c9cd67ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a31af8166bbaa5797d19a049af05006b
SHA13eedd798d07ce306f8876e2aa361917bc51a94b7
SHA2567c83a5f78aefc5b1df1d8517392c48d0e27dcfb53808f7723473004d82dc1b57
SHA512c82393f07215bfccfcc5255e709243d9a69cac9a9e904bae18d091e9c364127b69450ecc7e8d7b0fe1d75430ecf718498da45119d67ec22c8fa0c110f73a2a0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c676c95879b04af7c50ec7ef2bdaedf0
SHA100d59419996952c963a5c77a7f267d71f66d225b
SHA256c022b3bab7395f7e6230ece78fc1da77f943faecd444c51c1115c541cbd823c8
SHA5122bb9d03e6fbecaa03a99b6ec047fa456f91f4ab14ec0d7b36451c3b745e1aca29e0f1cacefe4ae5d765fa670375bd933eb707d4e6d2951941f9aba41de9eb577
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58b6acaa9c5c2d6d002b56387c325edab
SHA18f6fdd2199b18dd6f199a54adda1d002be09ba03
SHA2563804da9f07cbb01e6536713ced688b262ecaa791a63de9821d29dc3355f2488b
SHA5126f9926fac934a6b931876be82d254b1686958cbd911dd988dbcf340a76f14e5c03d443839037e0d4b77988c7f79eba999703737822ed136d0387ac76687a25f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e1897512ef5c2499482493dc1b3b22b6
SHA168f864dfd0a0a12177d05657fe0d196e507fdd9a
SHA2560dad414b32f2855a48fd9f05373671ebb95152f0799269e1969ee0ee84393618
SHA5125b3e480ed08465e2223d0fede0fd46126dd4135060fc26e6c37ac061c0f90d4621531102abb6b6dbeb029884bffc78af52254271603744fe3a2f4d913abb45ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD558443aa0b330a909a4b408b03bbd0245
SHA153cc2e1fae8f616944fdd4b270c5097b922bb8a8
SHA2563b8b8216f056b593b44f09205e20e323f9ac1642719ada22537d44dd7c51a2ba
SHA5122f07aa6fb8dc4637437903e1b9dfc4a906788235ae2ff72a0d4f6bfb425c5e31fc7e3ddfdfd1de5269e4bc44bca278fd89e27152c076acdbfe51f4165d8caa1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a188cec6a22adb3b132c85f33ec49e24
SHA114f08b9677858055c910449a4d271157a70d3f01
SHA256897445cff56b2ab6c1fa8571e8b7d3dfb5a1bb1c0f0ca7164b98fd4e893b4931
SHA5125c514f0be904ffaa7e07d3e0403c67b77cf8756bcfd7fcd1a2799d46e92c6237f9555908265abe617f7407cb173647d946a714e223e5d35618c2627117f63bd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53523079ebb2f338a977833d23921ef0d
SHA13cc432209cbf282f9b6b4ca6ed2da8c8bd21cb96
SHA256d39ca93e76677da0e3320eb68a0367ebb64e641c0d30a406e2f983ce7ee80d8b
SHA5120db149226fe3c888de42963e040769aa0c26d03f04e264bc2e40d0d5bb86e4e4bc7717604e8a105ed657d3ec8464a9562c86a4d58337239e306a7083ab3bec90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b09347f30634d996accab894ad86d93f
SHA19826c6e3ec1319b9be73e3d292a92e45de6bfa62
SHA2569c61b3a935a2e5153f1e5d9b5687e257d8cfe95d97e4d9bbd65c284d61ec8619
SHA512d95b8c0756ea0953fef1c1eb378c4f406b7473584535a01d35693ac75a6c4e6fb3ffc45d680a88af0c955dc71fcc634d1cd900cbd965909bd3e6b740a1ff2eb3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54dddd0a2c162c245cd0a1b34022bde41
SHA1b6d04b7de5f974aa989e7fb5bea6a03f81878bda
SHA2568354a49278f7029a127c9d1b9d584d232af0aff9c6e40934cd04403822851805
SHA512fd5496bdcd157ffee5152cbb70fbb79d4409822db78c55f871836feb496a936fb5c21b472d1e48af30c71e61a8c72545410c1bc6af09d4694ad5f4d31f10b3ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e5f8b7ef129523c7d69f0c79eab2e1ac
SHA1012425d1bb7870bfabdce1be5888da10908171b7
SHA256e81e11b31d2ee8cfd1d4197bdd3759100808c40aeb6220dc343bbd924bcef81e
SHA51202e70bdddc21362a7afa0a087e5ecd75364d814a6a282c151ef1edb038336649ee82a09a3cd4befb3a356677c7afd03957df9ce19d6e65dd20e6e462210e09c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504daf6f0efec6b46aa1922447795dedb
SHA1ad47680623e9f274c46775e8cab0e7ea98cb2084
SHA25641e203b307060dd28c1fa8dceaeb302253802fef2c22876e3ff5177a96798ee2
SHA5122293499f27e6cdee6981b96b577629d1e91f102c589e03e7f4c5424c6418acfc7d17dbc2272b5375b76e9eafe4b898e76462469085801d28fd28ec97faee05ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51fc59520b9b2994c616d32c3ae31a7a0
SHA1fbdcec28d5288f9587ae62058adc04a592324678
SHA25669a114d34b631b6efedfbe5a2d872e9f69d37583838a29d350b911d73447d403
SHA512d4578fc215b612d4bdcdd4479ea5893bd2c603e3f03cc0e9dc7a9c614dd3a556250129d02340d8e24fd98eb9caa9cc69c0a53b7ea18eca8c641e6e2d6ccbfb71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD573c2af3643dde35242b992c9beba9f64
SHA1c7fd6dbc414cd1777b4bc83e287bb114b8e14091
SHA256c76bbb6717ab64032af3e434c10a2581154cee02901d6eb9f5ff55b1bfd761ca
SHA51273fd70ff1c402c9c31376882d43a09b4c39ebc742ecb0e834f9f91cde5192e8fe14727ac8671a58122ebe379a9c5f82fbeaeb3d102d1ec09faa751d668051ecd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5698d5998faacb98d589e191f7047463c
SHA1c3c5af8607423ef76271525751538059dbd66798
SHA2568b85d5c74a79e3500812acddd3d5d4700419ee1210a0b6f3db12497e29a3d50f
SHA512bf02793845c19d10e131fd509355551cf0c4192edc7c4a7682500c2e352ac4047e1e7fc1094060407d24fbe13093ce3544d524903e00545d105123be4cb482f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5527b680c5628e84edfc1d0f5c5de7dc2
SHA17b3f5dfcd751e3efb06c7d3823ae0d76db116c19
SHA2566fbc4becbaf5d94d1899be77ab033727abe8a9624dbc666a9ae25582d3e09abe
SHA512b24c2506d0b9ec2678a155b5f613a8ef8a1cbcaf094f133c0c46e3e494b305b930241f13aa7e0c1fce91365b8b9e77ba01a075316a6c0e73619fdd6ed676cd32
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b53dfc0c025d9b64ed130692269ac581
SHA1a75a2ef950fad086f1bf97584e8db7eb3e857bf5
SHA25694960c45eeb255b69ebe942b5aa31a9a5ec897cb6f5aa29041cc73b539633b48
SHA512facdc5da2c2e068e74a52419efa8d02e78410ebd546c1eded825abf4e33b5641a6348ba4fff37c741b7858135de4aa30ada4176396fa4597d1950f548d99641a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bb5d6929bb7ee2afb59fe156a7ffcd6
SHA148931e490fb84b1155765594aaaa1fbdd5719c3f
SHA2562e3725657f7725084c5c16d511eacabf1c5bf2ea8abf01380e6ff5744a94b82a
SHA5126004f4a87d1198a22599a431c9bee77e3207bfadb2f11efd8fd089beb1d008d257a3930e1f6591e16f6ca9cbb4f09acf3bb9998fd4522625cca15265634b541d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a297678af2212b6aa1b146cb568b98e8
SHA112f9944f25d35df2a2197cd13e79c3867e167233
SHA25628614caed8389e648e3fa9e8ae78812cdf4e2c58e8328b302a081dfb4634dcda
SHA51237d1c7b76b11d2c7fce3196709538ab6cbda210c49e8aff8d5c0a7cb9e2df935e03d7f49e562e06b22a0c98b353012719b7c788f0f6c7d3710c645748443c074
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5896fee67b6859adcb9a56d0f02c66d92
SHA13ae3d85981c463245c4d7e3234f8e8d4e7aafc72
SHA2562536663f0b154e25bd1827486d64747044ca95d011f5c91b82af1938ab061fbe
SHA512051ed751a06c7d2394b86fb01171b39b82b4d21273c2f48a74daa69d29508764dbfae004753de8b40f1ea1a8cc790dcbfdbee3d5cd37f88be962db41b54f0c87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD584d2c7d27128a8bf404ba2a953cfa5fc
SHA1dea27301b29224aa335ae82d51cdc8b9e28ca86d
SHA2561c5ece09a30a03d31ee6829676f63ce66d280e250a721db1e32c2461d2686b6f
SHA5121becbd6b7000f82279f58a52582d5b28b946d34fea21fce3366659616f6f775a8e325e08ae8e233ac2f06ac5950f42477c1429cddd7ac806ad85194188c9ca81
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b04d46e8f4d3780a139effea25a1a805
SHA19c16067efd361755a945abea8b7062b6999743a5
SHA2563fb810cbf91a6f00a4d3117fbc975f45ddd36b954e4ab177d094c4f9e15b910f
SHA512e8faa49ab69ef522dd90cd4792dbee35fa2d952d5b373dd3d0141da8d0aff487e60f721db251edb00e35f14a1b21f60bda9f95a5a4b2607ecb720ddbf6bfbde7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a72cf0d2c99ff0c38085a4bf7ab10d8
SHA144cb4b3bede69d49a0d107a7cefe9ef38eece497
SHA256b0daf4a24427495f62f21da58dc17537ea1fbe8bd69fcea98fa2cfa759de16ef
SHA512190dcfc8f9727a32a9814cacd118d573497bed68f3cc646e25c5f6fe889489f38d8628e1ed327935c7b54bf94ddbb25f180b30d7f5276fca8d2b67cb9fdd5fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508cd18a6097d8f2b9e757825a0548166
SHA1097e1e37e851a8515e456aaa2da9ab9eb9e32f33
SHA256f661f9c8b1843fd8761103067ae3adbf165959b261f644a5f5bcbfb7a8c54d28
SHA512cbdfbe02baea57918ce2f66dc996b9e4c5bc3062374e96242219146edb8e8f1534b8b88cca4a8bd7ee09cf24f77d57fdd63416bc482db58fb59d60e6be73a1f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD54989012e1093272b9cc30d69eb337b0d
SHA1c9ec0bbc164c1c2bd4ce780c8c5e03a7a2b96a40
SHA25693763e885a547e130aede11fdcc99bf86d1d142c1738c75a1b28ad4117347f9c
SHA51296f66ea2f9289a728a6863eacc0a425cc6c66379d8c9e08b6821da2fe4a1c7cc09cf76525f074412f6ce3abfe2483f81557dc0ed27fe745fcdee88e510ce7e84
-
Filesize
776B
MD583fa7ed3ab9e12463d713e0f5ec84296
SHA1b74b4328e532207f3a49990894d6746e6ec64cfb
SHA2563597d8b69152e6dfc94bd541612002d99dcf4eea7953db6b1d5aa8fe76443951
SHA51293be3d6d803c2e919075d2ed8389f80c4c13ba5c713257c6490ebdbaa22f70e6202bb50d64d0cb4acb8694827171aa7cba8dfa0a080afec560f4a04a22fe6351
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\4Kv5U5b1o3f[1].png
Filesize610B
MD5a81a5e7f71ae4153e6f888f1c92e5e11
SHA139c3945c30abff65b372a7d8c691178ae9d9eee0
SHA2562bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA5121df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\login[1].htm
Filesize107KB
MD5349b987a16064420d8fd78e605a1af77
SHA18aedee0c4b7cbcd77f3ba3df64f89fcef0b084de
SHA2560ecf646e9b5aa14c709ad652765202e2d43f7ff8fcac4cf7ce973e80ebe6b301
SHA5120445260af66d2ff4ae129355ec7874374251975ecb77de7df286f5a568cd555587081d6b570bdd51f2bc04f9f3a411e6563ca13cd9d718d946ae530cc1c90244
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b