Analysis
-
max time kernel
66s -
max time network
53s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-12-2024 21:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
Resource
win11-20241007-en
windows11-21h2-x64
22 signatures
150 seconds
General
-
Target
d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
-
Size
808KB
-
MD5
d239a049a6e4eb2cb428d7905a98ac37
-
SHA1
58ae995ee60b72fdac3c46caca6b2e4e5f65b847
-
SHA256
18f4035381c01ac7eba826bf786103b091ce6f0c05943722a2996dbf14744689
-
SHA512
4ea8e18c6e321aecbbca84afd6637e9442193e79638502af77fff54edbda98038af9a35d2e838fd5cbed34da50d08c051f2653dbffb8abb6201dd15250a0bc6c
-
SSDEEP
24576:eqjP6+LOd94zc5tKEFV4dwVtNo1+XjOYl:eK8qcWG4deXRKw
Malware Config
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger Main payload 1 IoCs
resource yara_rule behavioral1/memory/4484-26-0x0000000000400000-0x0000000000486000-memory.dmp family_masslogger -
Masslogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1064 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Control Panel\International\Geo\Nation d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3864 set thread context of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \Registry\User\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\NotificationData explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings control.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1900 explorer.exe 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 1064 powershell.exe 1064 powershell.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 2112 control.exe Token: SeCreatePagefilePrivilege 2112 control.exe Token: SeDebugPrivilege 4220 taskmgr.exe Token: SeSystemProfilePrivilege 4220 taskmgr.exe Token: SeCreateGlobalPrivilege 4220 taskmgr.exe Token: SeDebugPrivilege 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Token: SeDebugPrivilege 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe Token: SeDebugPrivilege 1064 powershell.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
pid Process 1900 explorer.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe -
Suspicious use of SendNotifyMessage 61 IoCs
pid Process 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1900 wrote to memory of 4220 1900 explorer.exe 83 PID 1900 wrote to memory of 4220 1900 explorer.exe 83 PID 3864 wrote to memory of 4196 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 85 PID 3864 wrote to memory of 4196 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 85 PID 3864 wrote to memory of 4196 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 85 PID 3864 wrote to memory of 1532 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 86 PID 3864 wrote to memory of 1532 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 86 PID 3864 wrote to memory of 1532 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 86 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 3864 wrote to memory of 4484 3864 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 87 PID 4484 wrote to memory of 1064 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 92 PID 4484 wrote to memory of 1064 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 92 PID 4484 wrote to memory of 1064 4484 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"{path}"2⤵PID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"{path}"2⤵PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"{path}"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:1716
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1452
-
C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1628
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d239a049a6e4eb2cb428d7905a98ac37_JaffaCakes118.exe.log
Filesize1KB
MD57e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA2564c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8
-
Filesize
28KB
MD5393738f09c6138bc20ef0edd843d37dc
SHA17ebbfb06caa94a853f40eb5afae9c1989b59dc65
SHA256ce112a6793b0d4bfd42d5065320e720d50852c0f51a0b3d54dae695980b6ef87
SHA51289da410b4952042d9b0c42b26bf6561679831e6434990355612301341fe32d8d47346d6cff8645c9d5fa8e075e0a906a6792cccfa152f8b3d40c1eec561abec3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82