Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2025, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe
-
Size
684KB
-
MD5
6c846c3f737167948ae219bcc5bf53c0
-
SHA1
efcea049f211ec2cd9e18048baf2c8f7f730d931
-
SHA256
d67bc9c954a176b1efd11a61abbb6c4f2ac9d6f1cd16e16246b15f5cef2b4851
-
SHA512
fc1122f97138bd36708703b0306a646c65950d383f33ca4197eb05a1c56c9f7f23349e2086466ddb278a4aa504198b01b1214bad6b3fb4170e6613b26599559c
-
SSDEEP
12288:NcBj7B40qvxUrevFtrh7Xj5qS3ZIIOuPZfSVPP9jCW71D5b6pHJ1:NcBj7B4UevFhh7z5qS3QWfgP171tbKHb
Malware Config
Signatures
-
Expiro family
-
Expiro payload 1 IoCs
resource yara_rule behavioral2/memory/1092-2-0x0000000000400000-0x0000000000668000-memory.dmp family_expiro1 -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 6 IoCs
pid Process 1980 elevation_service.exe 3984 elevation_service.exe 1656 maintenanceservice.exe 4004 OSE.EXE 4972 ssh-agent.exe 408 TrustedInstaller.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000 elevation_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-1045960512-3948844814-3059691613-1000\EnableNotifications = "0" elevation_service.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe -
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\P: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\R: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\I: elevation_service.exe File opened (read-only) \??\K: elevation_service.exe File opened (read-only) \??\Z: elevation_service.exe File opened (read-only) \??\E: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\L: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\V: elevation_service.exe File opened (read-only) \??\J: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\O: elevation_service.exe File opened (read-only) \??\L: elevation_service.exe File opened (read-only) \??\S: elevation_service.exe File opened (read-only) \??\T: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\Y: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\M: elevation_service.exe File opened (read-only) \??\Q: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\W: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\N: elevation_service.exe File opened (read-only) \??\Q: elevation_service.exe File opened (read-only) \??\S: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\E: elevation_service.exe File opened (read-only) \??\U: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\X: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\Z: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\T: elevation_service.exe File opened (read-only) \??\W: elevation_service.exe File opened (read-only) \??\Y: elevation_service.exe File opened (read-only) \??\G: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\K: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\G: elevation_service.exe File opened (read-only) \??\H: elevation_service.exe File opened (read-only) \??\J: elevation_service.exe File opened (read-only) \??\P: elevation_service.exe File opened (read-only) \??\R: elevation_service.exe File opened (read-only) \??\X: elevation_service.exe File opened (read-only) \??\H: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\V: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\O: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\U: elevation_service.exe File opened (read-only) \??\I: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened (read-only) \??\M: JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system32\Agentservice.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\lsass.exe elevation_service.exe File opened for modification \??\c:\windows\system32\locator.exe elevation_service.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe elevation_service.exe File opened for modification \??\c:\windows\SysWOW64\alg.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\dllhost.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\fxssvc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\msdtc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\locator.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\snmptrap.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\snmptrap.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\vds.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\spectrum.exe elevation_service.exe File opened for modification \??\c:\windows\SysWOW64\dllhost.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\system32\jhbafplk.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\locator.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\msdtc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\wbem\wmiApsrv.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\syswow64\perfhost.exe elevation_service.exe File opened for modification \??\c:\windows\system32\snmptrap.exe elevation_service.exe File opened for modification \??\c:\windows\system32\alg.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\msiexec.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\system32\hmijbljb.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\system32\cjbhinfg.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\spectrum.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\wbengine.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\njjefndn.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe elevation_service.exe File opened for modification \??\c:\windows\system32\searchindexer.exe elevation_service.exe File opened for modification \??\c:\windows\SysWOW64\svchost.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\system32\obhnnefj.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\msiexec.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\SysWOW64\llcegeio.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\wbengine.exe elevation_service.exe File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\sensordataservice.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\dllhost.exe elevation_service.exe File created \??\c:\windows\system32\hhfbcimj.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\perfhost.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\vds.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\sensordataservice.exe elevation_service.exe File opened for modification \??\c:\windows\system32\Agentservice.exe elevation_service.exe File opened for modification \??\c:\windows\SysWOW64\wbem\wmiApsrv.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\fxssvc.exe elevation_service.exe File opened for modification \??\c:\windows\system32\msiexec.exe elevation_service.exe File opened for modification \??\c:\windows\system32\sgrmbroker.exe elevation_service.exe File opened for modification \??\c:\windows\SysWOW64\sgrmbroker.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\Appvclient.exe elevation_service.exe File opened for modification \??\c:\windows\system32\spectrum.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\openssh\ssh-agent.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\windows\system32\openssh\fjpmkalm.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\searchindexer.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\lsass.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\system32\vssvc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\SysWOW64\searchindexer.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\bin\acdacdcn.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\oklgbmqo.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jre-1.8\bin\nikalpei.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\7-Zip\afaqkaok.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\fhkccgam.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\moiajbka.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jre-1.8\bin\ooqkhhjo.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jre-1.8\bin\phlkpdah.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\program files (x86)\mozilla maintenance service\gkomedmk.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\finbkiei.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe elevation_service.exe File created C:\Program Files\Common Files\microsoft shared\ink\jiianoje.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\nlfifejp.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\cgakfigd.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jre-1.8\bin\edglhgfg.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\edbponjd.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jre-1.8\bin\aplfnjfi.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe elevation_service.exe File created C:\Program Files\Java\jdk-1.8\bin\jdnejaho.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\nimidobm.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created \??\c:\program files\windows media player\enbqadpl.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe elevation_service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Internet Explorer\qfemblig.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\mekilqcj.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\dotnet\dotnet.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\aneiiahc.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File created C:\Program Files\Java\jdk-1.8\bin\bklbclai.tmp JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe elevation_service.exe File opened for modification \??\c:\windows\servicing\trustedinstaller.exe elevation_service.exe File created C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe 1980 elevation_service.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 664 Process not Found 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1092 JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe Token: SeTakeOwnershipPrivilege 1980 elevation_service.exe -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer elevation_service.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" elevation_service.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c846c3f737167948ae219bcc5bf53c0.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1980
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3984
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:1656
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4004
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4972
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:408
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5ba12d3f5b60e91a4cc414e4cfa2cd31d
SHA1ff78e42cc92628ec367dacde6dd074deafccb66c
SHA2565c2cba6bc9c3e58dfc80bbc60730db6c5bc926b8e84fee42e2edf81eb48e37df
SHA512e354982a62aab6634715e37d10dbef2e7c0e8d695d18074e1c9a31db8f39b5198d8c23111dbe02a066c07f5f90ce258818648170966d23c91f33cc7456df1a20
-
Filesize
781KB
MD58cb7ac0ccddfab9bd4d0aaf27edf87b8
SHA1d8afcf655eb7c805938651b5f7d595e556da44df
SHA256a09f5fa75d1a1aed22ec4abcbef5fa9572f9d7c9ab964a4cc082d6747824ed55
SHA5121c4c4a58d2d6c62ce8cb4057fbb8de5fea0e63a0344a6b1a5d044231d3a8f7025881d479c9c6181d2ea2dad51287ce49494aa0e6a5c61ab34a6da515cbeff046
-
Filesize
1.1MB
MD55a5b148618d4ce0e7fc6f486105c3dc1
SHA1821b669c360b83221a3d74a196c706cfd62c9f7b
SHA25671da885b336e88b38037fb34080db980006e817d3421e88c9252030c8cdbebe3
SHA512803b821a2a55a64bec37c26f8a789b66a06bff64104c19b342a8a5ed283ecfb313baf249165295b024efdd214472f43f20689ebf784a0dc60833ea49e3182aa9
-
Filesize
1.5MB
MD5c60c5e5861dabad3e961688d163ac14f
SHA1a6cfbc3e621e1f454bad19afc711966d007d6396
SHA256f311845cc9eab86d4caf114bd586f4e0253f3e994c24a8e3988e0a6988b46017
SHA512cec029de52a16cddb4d24c2da99e928664d8520c1a4419733cbd306b1c4cbb8632b7b09c78bb92fd0c2fdafb93d027ed7d28d6371246806387fc2ab9bec3600e
-
Filesize
1.2MB
MD53fb51bd3163c1db47c64bdd024840924
SHA1169dda33a70fd1a213883064928abf3d0909df2b
SHA256af1f9f7edbefdb6e9469344ae800b1fc6830bc21076db8f30a1e863efd728017
SHA512935bf03820aecf1465e53c7ebd2032c32961afe05c75bdbb1d80023721c04cf6b5ec00ae7fc4197ab2b505a679d13baa6acf6e1cc079f2384bd8c43f744667b3
-
Filesize
832KB
MD5928f977b5a6f9425aaec5a22164e601e
SHA1b572c6b5cd2f3f1cb1e792caf20bbc0693456afc
SHA2567be5ba5c23669510627e0fd6ef8189a1a13d7d989ac1712f42f47eba54c6f01a
SHA51275ebc6ddbc6eec39f3f29b032ecf5cceac341d8fea65c559148c63a3e120973318889b59bd31b81762b41f80fda8c73e5a35c8673b76541f043c94e25a336cc6
-
Filesize
4.6MB
MD5636ca19a8af75e1f9326d4bd2118df08
SHA11636eb4b7deb3ada513b619fb93b8dad364f6a5c
SHA2561631a8f52d01a62adc8c3f59d0cc19f7ae1749b32f2661b06cb6efaded79a484
SHA512c0d1f36c94c36ca3cbcf93c795310ec0e8e758886b49a0359278c9a782e0147d9154bedd77bf1a8c8e70175ddbee237274f44c7e63a4b4fbda0c6bb5b5947db3
-
Filesize
898KB
MD5faca1c47089afd98ff06c36e0a5b15e0
SHA100cf42a3a3760d3844f3953278846a50cf60072b
SHA2561f45d6129da5b6a5ae49d3ec6cbc56b7022b82cf4dddb64208f9f9720720a6ac
SHA512c6b03917b688b7ebb61d6df9c652bb2e4875a00d282363dbbbabec0cb51274969895f5f46be78a333334a06f9d1bd59be3a41725cebd7a89b816713a3eed366a
-
Filesize
24.0MB
MD56a519564b10f7936b9eb41341ef545ed
SHA1822bce116c8ccaedeac63bd98a97ddbf6c375f08
SHA2565044457983c503ff1d554fc79ee7b4c850b79ff4e224480bb68e52dbd5c3f382
SHA512d54bf6dee696cb5105241e5ebe6bb2a058e263d0e1b793fc00d25fbe354c2eab10073a42b082e3bd56eb6d15624304b74d22e2737aca27e7b7c13a03f887e896
-
Filesize
2.7MB
MD5b4e64dbd34141fb5ee1e0ff902500996
SHA162a30f5d449d81065cc9bbf216edd42598589a8c
SHA256b17f093eb95a2ce5e0fbb6636d75b88290f71710a16ca0ca094b1396790febed
SHA51292280511bac66b638a9c4127bcf280b852e269dbbc4de9b23a88462ef2509a4bffc03665347e1d890fae7dcbc3c69995a6bd85961f51d8a9bdc2b6c6ad051a88
-
Filesize
797KB
MD57ff3236febf0038791403416654a7671
SHA1196da08366bd66f8eb911cbb676e18e7f06be563
SHA2569e794db2e3394e129080761f9eae5a8a1fcac2e44fa8d93fec4bebe76b884034
SHA51254281bdf0e64b0c5cc27230825a37e9e6811027911c3c07ec5458fc60d64b857d05519a642f2123e681bce72db121df530881327a4d8d84b08de33e5fb38bb1f
-
Filesize
4.6MB
MD5986f28fc0463d7bf3e17ea7fc422f0ba
SHA105bfe6149435308cb9c27ebe80b2b3d29eee5efb
SHA256c7c90b7916fd04b5c9f176390fe9addacbd6b95dc76d395dc94027b25977fc53
SHA512ea54fd1b7ede5354bb9a472c76a0431a2af03e5424e667c19a91ac73e5111da611bb17fd4786b863c0e43d782ea1d95d944986e1fe647e593b65be118279028e
-
Filesize
2.1MB
MD57187c0f361a559499f310f992e7add1d
SHA1c237dafed8a1ddaf00b4544bb14e26b52f413f36
SHA256061808bf7781346d003e39f682f2de467f13afc803ccdea4b12984ae9953b155
SHA512e3402afc8214d2dcd62d4684b34fa2bcb3e3932869a9c220bf5208ebfb4eb0dd69dd4b0d9241e5f992f6cb6c3e49bd8e609fcff0064ea97508130f2cda5290d1
-
Filesize
1.3MB
MD55cba7d88bab6b99edb86a26dbb2bcbff
SHA18abca1c01e7abe9bf68ac4426f2554a6b1713815
SHA25671a2ed98fe4f23e80a890cb42b18694c8d7333172a8d0345246b929454f779fd
SHA5124c1f5a08c6922187abaed826583918f5d9d66318fade87670f745894978b20f1fd0c9b2efc09f824ca24599445c4c0b01615a887f341d239409af739c95d0b42
-
Filesize
978KB
MD56af6b61ebb9fab14292025297291872d
SHA14cbefdbdf72a55ff734a104e19191d19b50c91d2
SHA256058bcc39f8e7942761aaf19fe27ce1f75fec716a2e9011965ab048296423aca1
SHA5121959d7b9105e7b471c26ae6a736d529b75998b44a495fba6955ba4db0dd482002f8f467b13da238970bafb0e94b3f54d8a0927c2219573c64e1f44b482807303
-
Filesize
932KB
MD5efdfa02525053449f417ec098aa4c72b
SHA10d1402b371569620f0e55f0a9a9c650f006bf5fa
SHA2569203218677644682c36342d334fa8eb9fcff084a8b2d866783a68c089f2b2b1e
SHA512d322674a242b91ba1f07b4cc10660b132afffc307c8178f7161e7a88f8ff58be5606ba1f8ab6f5d1c5c051a15d4d1aa5f75b76bbf4f798ba6c7954c9c89066d9
-
Filesize
1.3MB
MD55f1335ecf766c77fa8c5d0b4d691b95e
SHA169ae7ae10df05a21920568303fab9534ecc7f756
SHA2563b12cb1dc5c86081218d54fdf7f61b2d2ab3e5b448043e472acf5d52ea211f98
SHA5128930a3cbb94c1ca010fa6e53746f2a43f686f066026f80c1c68e66a4d679d12259c3c8b9d43825bfaf021a068c6daa9c0f40512d00916e43cc834200c5e40a44
-
Filesize
193KB
MD5805418acd5280e97074bdadca4d95195
SHA1a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6
SHA25673684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01
SHA512630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de
-
Filesize
1.5MB
MD5b66ab57322d050b3921a6dd5fd7e09de
SHA14c47c1e3505e7c076c66e7d0d1c05cf52e7d6c07
SHA25664e456edff39f0d53de141c048dbfc931b07bde7b5ea2e2c693b4217c53c270e
SHA512dacf5a7310f077027a7d66e297260ef989732c5995338ed1fca6ce8bc0c45bbe622db53056c992670ede17e9571092327b86c499c35e46bd7b46cbcdd2426ff9
-
Filesize
1.7MB
MD55293c46ac8a34561220e9fa5bba70f89
SHA14534ba7e910fca7c98e3a09d41b82c0f2cbd18c2
SHA256a93aade99aaaecd2e250ad7d51c47542d33f3dbbe4bd5bf67fdcc2d8982304f2
SHA5124f140057b0cb49af3e759e7c9fcb7f3cc603db8f314d6cb758ed415a8eb7747b374271567190f89a6ce2222b7af3d7f6981d2dc605d84b16d7ed1e601c727216
-
Filesize
1.2MB
MD5779004fb341f3145c58d0a4d7437b89a
SHA14d17981f6da493c10a12910968b0a94b3f101f62
SHA2567afb36f4581d1e4dfdc779514d1388d03f755f8e2fadeb38a864f636c9ec8728
SHA51273f76cc729b71282c00f759cf223fa03fd3f14016f9b90e8055295549af664dd971765a3c6792bec756c2a5574c609619f931a5c918342b7da8a5b863927c6ac
-
Filesize
700KB
MD5e1c9749595f1d4d37771e67fcc0093f3
SHA103cd521662d12f2f575c622bd0d6c9fe7ae17037
SHA2561caccfac60e2d18afa7a2720c25f448b3e8df29fb01697bc105d47ed7843f80f
SHA5122327847d3cbe6fba078dbc7551132140e0c595e66e3a4b219186959aae76e0a88d31c9bee3a9d8aa52e13f0d50e17e49a51f7f92972030b384afa1ac132d69dc
-
Filesize
623KB
MD5f538961673523b94867890a1bba972e2
SHA1835c0e5bb6eceb72212b494b2104d8e2eab89d73
SHA256267c7cb658da8652da6c04b604b205bafbdbcae0f5f689e03bbd014ee15b6534
SHA51282fd2d2848ab417e13be6e215e48d58966a0ea0cee177a9480372103fc7045d8075e5718744fe4b9f7808cc6d49bae9591d0a763b8419bf09a70bce0eceb1fac
-
Filesize
572KB
MD548d0427451c735eb17860bd58ba17537
SHA195b2ec79c81a863ee8e6a0cb02bf7c74f0cc1ea7
SHA256fd2e248391b6bb0860b4ba6de3e4c2d42013414796d9c2d19ec34a960a19b476
SHA5124a8c11736263e475eec5db34ef0420cd1924af8131357bf100027dd930ab3b2dc1b60ea8f247e1b8b54562de5bb31befffe874ed394b725ca191bf4d505806c5
-
Filesize
2.1MB
MD5d7b059b6189da9641b82f4944df09bce
SHA168700be5703ee0751cf5ac6a07a671f6a7390009
SHA256294586c35286b6b232b25b1501efbb97a0864b51671fac6fadde85aedadcf747
SHA512f83f633327bac1fc7fceb6579deb5e08cb213e4edc8175b4bd823ee6f86c891be2cf1ed6652930059b5526f4616427ba4823a4514c0645d951ae2db14e6e8b1d