Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
-
Size
645KB
-
MD5
09d607bb679423c3a1636d922b0470a8
-
SHA1
29895b10fbb22ea67adc7c05f9bde69dc79d8f68
-
SHA256
52c44545129a7efe21cc8a3b71a4166af528a5b5142425617dcc907f62471478
-
SHA512
90413037654dec1ecdd469cdc8a863ae82ac586a30f9e683aa1b9e3f8a54bc494fb99860f4fd4af4e5bc1da6974501af5a3c91e063fb762528f2f559a23ce0b6
-
SSDEEP
12288:rYG8GLVeUF+bZnoD2kUQf3zyJQ/aEy+W27jIhyeNnCZ:0G8GLwA+bZWXUQfDyqCINghygnCZ
Malware Config
Signatures
-
Expiro family
-
Expiro payload 1 IoCs
resource yara_rule behavioral2/memory/5060-2-0x0000000000400000-0x00000000005CF000-memory.dmp family_expiro1 -
Executes dropped EXE 6 IoCs
pid Process 2416 elevation_service.exe 2988 elevation_service.exe 2492 maintenanceservice.exe 3700 OSE.EXE 2480 ssh-agent.exe 4828 TrustedInstaller.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\L: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\N: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\P: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\S: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\U: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\V: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\E: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\H: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\I: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\M: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\Q: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\O: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\T: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\Y: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\Z: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\G: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\K: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\R: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\W: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened (read-only) \??\X: JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
Drops file in System32 directory 61 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\msiexec.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\fxssvc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\openssh\ssh-agent.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\Agentservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\msiexec.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\alg.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\msdtc.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\SysWOW64\msiexec.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\Appvclient.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\Agentservice.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\vds.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\vssvc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\searchindexer.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\lsass.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\spectrum.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\Appvclient.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\dllhost.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\snmptrap.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\tieringengineservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\svchost.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\msdtc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\locator.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\wbengine.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\vssvc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\tieringengineservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\system32\Agentservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\openssh\ssh-agent.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\wbengine.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\fxssvc.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\windows\system32\snmptrap.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Internet Explorer\ielowutil.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\idlj.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\javah.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Internet Explorer\iexplore.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\javaw.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\kinit.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\klist.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\orbd.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\wsgen.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\pack200.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\7-Zip\7zG.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\javaws.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\xjc.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\tnameserv.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\dotnet\dotnet.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\7-Zip\7zFM.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\wsimport.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\jjs.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\orbd.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jre-1.8\bin\policytool.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification \??\c:\program files\common files\microsoft shared\source engine\ose.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Program Files\Java\jdk-1.8\bin\jdeps.vir JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification \??\c:\windows\servicing\trustedinstaller.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe File created C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5060 JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09d607bb679423c3a1636d922b0470a8.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2416
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2988
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:2492
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:3700
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:2480
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4828
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD56676bcc135a48f1a59fb6dbaae84a050
SHA1d47e70b67f061971ddaf5dfd96bcb0f6af3ecdd8
SHA256fafc2b802625e5b36549bec8951834cf200e594408ae5f4a1871b5ac9d69bb9d
SHA5125a79cbd051a84d8aae9070e055c709ec8d6f46a87e128667758cb93a8196a883b788c8e66254179caa92c88dd4059408e2d87283c59286bd82a598190289b079
-
Filesize
723KB
MD54f4c48ce6146bf2f85f2a73e47c5192c
SHA1dca3c52694705cae43c1d977a5070327280ac319
SHA25625fc2c0693eb63f68d1589c5e439c39e18764d921f7cba8ad18fbe3e413b769c
SHA512b6cbb23f2ae51f437dc30ccf42917a07ecf817bdf94b4a08a07241d4a9c9b08179e6ce24f1d80d5291ddc1d8059c4b323afacd97602513830f9c850ce8e99c04
-
Filesize
740KB
MD53735b88805771b0ff33a9e24a46d73ee
SHA1ce37d26c832636a8316e7130d263e20ee12a39b1
SHA256065f1443bbf8bb16e499850e84a5b05d21dea2038cbbe39d47f29eaede9c45eb
SHA51258d872286c1269870bd848d811d2847e1731e5dbbb892b36e90ec543724456d9cb57b5be75e6950ff058b987ca1a47d4d0e5a21c31d50eb352336ec1679dc2ef
-
Filesize
4.5MB
MD586f15f6c1f23c279398e317d81c31707
SHA1f977d5ac382d6f058f8834bcc8aa5496cbf05154
SHA256581ec61cff47374b803ad8efe0b9376656c64af8b4779f66e5f0fb171fb7d157
SHA51221a7012273a9f34acd1be4f4a91f1478bd577feddc1197f30479c4300fd95b8688da7a6d916ff845ef4a214b731b61669c461bfee4a095549cc1d8da59918218
-
Filesize
2.1MB
MD52f8c1ce7dfb9c9d8978eb884e5e87fe2
SHA183dd9e8f51d76c3a2d7425831c0ff85ece499063
SHA2567cb4ed8798e5e9d6f8aa0ec0e4864d2652c7a75170f4b9099861dce23833a837
SHA5124071c58953c2d70c5f3cd8c6ba981caa910738b743fc4bf572ea0655f3b5b29fb36f84efbf49d8fa4c85c88839a66a3e69a9f3f3b00c57c124bd8fee7419158a
-
Filesize
1.3MB
MD51868d232314f61a86b90de56a61a4ce7
SHA12237f46e6a4276f9cd3df150b485c9caff8a64a3
SHA256b77b8817c8e3305c5215f85a7aba9052a0a65ca0e33a1c9d7a6586a905ce1848
SHA5124a96007ca668129a7330fe77a92abf6ad23c945617109fbedf2dba34bddc6f8e873a537c334b57efaa4f88792a9e51df56e2a52cb270bc88e7bd978a636b86c3
-
Filesize
923KB
MD5f504222c4136a89aa551bbc67701cdda
SHA1eca8de1a482af1b7d7263c26f5bc740c0b166603
SHA256aca8fcf73490e8af2bc6d03540fe0e3625e3455f19fa7edd785fcc513b7d561f
SHA5120971e53132fcdd69d54747732b068d816676729744ee42f057002257ee136615239c5e97f186497e2ec4beb9efb0e4d04a778449ce18caa6b1c1e775442851e7
-
Filesize
1.2MB
MD590503e9c1b44f2e1691409d9cc464dea
SHA13c0460a0e02ab733dcfe2f368f494599b72fc7de
SHA25604bae3e4742942e3f73145d849ab1cd03e70fca9770dbffb6cf2d2bc7db64ebc
SHA512a87707d668e62be5ca7c0688e421a7663041c713a81b8356a234ccfa4bc885a1648f52cf4b14a46c967a491aa6121aac7d500939ca62f8613374c60e00ac3dfa
-
Filesize
874KB
MD51722922ded587a1a3edce235b5146b44
SHA166f29421381b4cd3fb1ff3d02a6552282bbd382d
SHA256d52eb99d038ccefff7ea71dae2b0171ca18da15f3dce33d391b2276db5fda714
SHA5128552d29d501996b975a747e46e9066b23c33c417b82d8473613c8a0f27c6d9866907445f94b24110c03ce8baacfc9b0656fd6d36b060fd2984840e4ad0d48cdd
-
Filesize
193KB
MD5805418acd5280e97074bdadca4d95195
SHA1a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6
SHA25673684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01
SHA512630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de