Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 15:43
Static task
static1
Behavioral task
behavioral1
Sample
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe
-
Size
12KB
-
MD5
42ec8922736e487598a628cbe2b12efb
-
SHA1
6989e3e0e5379efd5372187b35b5728c5ecf20b0
-
SHA256
e1084b11b372b79a666fce8568900f6e487de29866b7747ea13a37a75b081065
-
SHA512
3cb47e7c28fb281783660ec4c0c0b3e32fc794045f17a86efe4e125ba3a024247ee582769ed898060675253dbfca83108b0dadd485fa5bf528246a433170bc5e
-
SSDEEP
384:J0KjMB9JTUA0IKHpj8s8XH0grR0E/5i5:FjMyPIGjAHlC5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\_Hazafibb = "C:\\Windows\\system32\\kwbusawe.exe" 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\trrgiahj.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gxvewgke.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\puohfdfz.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ckygmimr.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qyrqufqr.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kwbusawe.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\gngrjpbs.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\kwbusawe.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fqmflvhi.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zhdxndze.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\IME\SHARED\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\bvkfbeph.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\knrubxsr.dll 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Drops file in Windows directory 53 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\InputMethod\SHARED\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SoftwareDistribution\Download\SharedFileCache\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\Total Commander 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\winamp 7.0 full_install.exe 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137359" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FEEAA97-8A43-11EF-ADF2-DA61A5E71E4E} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "108" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com\Total = "134" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DOMStorage\ebay.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DOMStorage\signin.ebay.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "107" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3830583831" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ef058772bb8bf41fa9d234eb1524fbc53f75acb54d1f649ea2e2d657859009f1000000000e8000000002000020000000957c0ecb91b2305d2397d0ec87469ebaca9c2c77284343b47c19c5242edfd4fa20000000bb9621872a4b56a0aa5e0f8b333792476ee3d3f86d7357d19c542f8e73ef631040000000e6544b2b046c694c6e84255b0f63a7a1d320c6df37d7a60fd126e4f62e300bb2a54c6ebf5c99e12c7ac961f421ed595ffef19e2be80a395b401ce31eb72ac8b3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137359" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "103" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000006ce13dc6d62203939030813893218f89385af45bba35b25bcf101c39c4311206000000000e80000000020000200000007dbe52383b6e1b9076b84fd480742616e5aae293b58d876ea4d0dfe9bc5b39b3200000002660ff36cacc1b23e342b94ac58f45e0566a9556ffa94e7d6b2f02f6fe8306f3400000008f8dc7728353b4fb8283ac1825b5c0a3fd27e97ebbfc707c29e82a58eef2bb7df27c92517be20a85a56d8c8ef280cac96c340b12824a95fc35dabe49abd3c51b iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ec68e54f1edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signin.ebay.com\ = "108" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com\Total = "108" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com\Total = "103" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signin.ebay.com\ = "134" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com\Total = "107" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435685585" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\ebay.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signin.ebay.com\ = "103" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3830583831" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137359" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 608972e54f1edb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\signin.ebay.com\ = "107" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "134" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833708937" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4476 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 4476 iexplore.exe 4476 iexplore.exe 1120 IEXPLORE.EXE 1120 IEXPLORE.EXE 1120 IEXPLORE.EXE 1120 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2104 wrote to memory of 4476 2104 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 84 PID 2104 wrote to memory of 4476 2104 42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe 84 PID 4476 wrote to memory of 1120 4476 iexplore.exe 85 PID 4476 wrote to memory of 1120 4476 iexplore.exe 85 PID 4476 wrote to memory of 1120 4476 iexplore.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42ec8922736e487598a628cbe2b12efb_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://signin.ebay.com/ws/ebayisapi.dll2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1120
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5a780c4737528290dc49d84a87ff285c7
SHA16c78a9478f32e5db959889cf985582fe15cf839b
SHA256ca0a1bf8b100013f2c0cbc9c9dc7ef200be63a1034885102646e2dd3db24fc7b
SHA512d76afa18b032744566306d5166cb148dd1e42ecf3efec2b72de234e7dea17bcc8e2e5e3681620add754103492df688fd31238cf970bf6734213939378179c034
-
Filesize
212B
MD5e0f3360c1b17cad956a69f850ef45196
SHA16db30e9c70b93a01f257963f39c4ab64a0470c15
SHA25619589bb3f9da987d8d2c0c161b4a7136e84af5915d7bbca1fdce1917f3e36611
SHA512d645a15f23d87ce604c5c584c39b6190ff5da9494e4868250efedaefbaa6671a97d8efb87d63e0386bb4f9fae9ec4b4e0d31b0480ab4411d1f6a595929769ee7
-
Filesize
1KB
MD5dc8950ce6d223c4e1533e38dcdc89c0b
SHA149a1d219f9eaa34f71f77cd46aad0d8774b3f39b
SHA2568a3918d5fcd5b57c09d16205dac08797d9f6e7e4b1b36015bdbfcd4434987d6b
SHA512a8486da04746d4f66040c29564fbe295dd7c3a2836f400a356b333018edea43ae9ccfda1883ea66ac8446cf7e2d64fbf98bfbfe1d3fc76f7f58a97ea69b9720a
-
Filesize
1KB
MD536c2d67c675484f68c6d700a90960b59
SHA1d896fd5043503492f1e6516723554fd3995cf00e
SHA2569e0e5f9d7cf84a7d53c16a802722c9bf90048fa142b272cb39d79313c2fbf4a8
SHA5123986de7e3ec62bd8a62f65b772326279aaf6b9d43f10a43014fe46421567fe053058e4d465c8e0f810ac39d900de2fed26a2618f6ee3abb91d6ab18b75eed342
-
Filesize
94KB
MD518426bec6a355afa275f5c8bed7c11a3
SHA1d4f02e13797137712e1b5a91142b4443358d472a
SHA25635510702c39786b2cfdcd35ece8bfba2ba54c723464c505f01a1f374de281e47
SHA5129dff46aad69dd84dfb16ae51d3b4fe06dcd1d41f0a5f23a8df7c4e9e0e152926f6466af4c58c3a07108cf819e07a98353e9c3b49a2c35b5e87c51c7cbbf05a32
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
5KB
MD5e0b86a8c83d3296452026644afb42008
SHA1478686dbdc9f8b0bfb5a87bd4105a97916f10997
SHA256122de771cb02a63345d8e01f5e482d913c282f115f1cf56cc8977fb191edf1ae
SHA512da6b841bb437716b90674a41957833626bc85666781cbcb61743c292394efed7ff1cf73c89df5aae635a76fdc25c4bf58bc2ba8a0765f6237bcf91e508dbd1a5
-
Filesize
40KB
MD587dbd0b00dd674807cc8cd4444ab0917
SHA1ab1c6fd4ddecffaaecfc721ac3876fd18792a2c7
SHA256a32265b873a56cdb15e15a969129316317cb2009cadcaa7b602e386b38c31d03
SHA5125f48ab0adfbbde50ccf011d7af07c313c312c6b43a07c86cef7f455f49b407246d167146e7cd4ac9068650434de4d77ce6966006441036a242af0e33c7bfcc9f