neshta | 6db8d3ce0c8918b208a4e6da0066fa073717954910cb8562f9d6878833a3ab8d

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
Size

434KB
MD5

773eb17f7dba6b359affa8dd353b389f
SHA1

584c03e869ccd34ccc4f3611594b107a9e08533c
SHA256

6db8d3ce0c8918b208a4e6da0066fa073717954910cb8562f9d6878833a3ab8d
SHA512

867c6f2bdbdcf35ba40a2a7dc162c503c074db88ffc2eafd471c805eab0529460b8032ff2651d994524daa5b2f20cf12dbb942f76b1c7a581ca2109149cdfb90
SSDEEP

12288:8ftlPJjSZCXWEAQLQV+EVUL/kbEIKL1wTNu+MAqy:8ftlPJjSEnAQLQV+EqL/GEIKL1l+Jqy

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-13.dat	family_neshta
behavioral1/memory/1708-87-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1708-100-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Executes dropped EXE 1 IoCs

pid	Process
3008	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Loads dropped DLL 3 IoCs

pid	Process
1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "117"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "169"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442121809"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "102"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fdfe1b27771a734bbf0e533a19a721eb00000000020000000000106600000001000020000000f35a0c833081095e950a2e2156ab273ff405482fb31c82c92798f2b4ff8a603c000000000e800000000200002000000016012337d3708c4bc7976a34db055b931862562f87bac40535c831f58227eb4e1001000071ca8844081e8e0903a65d7f2e15520777c536078687437d1be9eabc2e5adeddce803829cab6f6d5311ff85fb9171aebae1b57cdc1cb6db91abcfb632035cb51e93ae28fcc3ecb28158d76c42cb8e170326e523443cec42d151ffd4aea682756d2e9ce8f18a2f2f77e5eefce62bab5ae0e4a6b6feaebe9c130177febda9fbcc397e79eef1846c0dffebe491fcc3006c22bc2efac3b58e64ee7bd3cd245e9fef8952ec36cbe01f3fbc8a0f92c60c4234d3cecfdfa336f1a1f2ea08233187173625ffa7d4839736876b1ed0f198173aac92085e2f385136ca4ac2afb64f373e98452829ef1a42a1953e59a4c7d15e3b92167b6d20ba844f8a274f0f6049d5be0a624a6c4c0009fdd923279999b3f2337b84000000007c8ebf461473b422d70a5ec82d24c6a0f8c6955b12e952cc58343e4acf1d606da569eeaab5bda2673ad6b9d599043b86526dfc09e1bfa2a54ffda2cb41a4474	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "102"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "169"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b02ca1a0555edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "169"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C81F3071-CA48-11EF-889C-C6DA928D33CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "117"	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2548	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2548	iexplore.exe
2548	iexplore.exe
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3008	1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	31
PID 1708 wrote to memory of 3008	1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	31
PID 1708 wrote to memory of 3008	1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	31
PID 1708 wrote to memory of 3008	1708	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	31
PID 3008 wrote to memory of 2548	3008	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	32
PID 3008 wrote to memory of 2548	3008	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	32
PID 3008 wrote to memory of 2548	3008	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	32
PID 3008 wrote to memory of 2548	3008	JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe	32
PID 2548 wrote to memory of 2992	2548	iexplore.exe	33
PID 2548 wrote to memory of 2992	2548	iexplore.exe	33
PID 2548 wrote to memory of 2992	2548	iexplore.exe	33
PID 2548 wrote to memory of 2992	2548	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
27643ed1cffe92c1f926b9a57d5bc87a

SHA1
c4e190edf60c307164830d0325a10235f12014a7

SHA256
091391e398e970b7aef4b2eb59342c8757471928bde7ef7dcaf51e3e0e94993b

SHA512
047f60f9ae0d9a65aadec66060e67a03cbc7239ddce115898dc1287532cce23ad122b716bfe56e93714598274b1e350ac779d4c603fb12dc44e491c54dc30704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d9e9835ba93f1cf9db6ac40b972ecb9

SHA1
1aea76a7383bb8a2f7407f3b95869b38d1c33e5e

SHA256
449f31d7b329d132971cd9aab5ab29502e8fb91878eb1f53776ba6f90f3f5ff8

SHA512
d8ad54ac8b890c0c2f08e43aeb383ce1624ed18921f98b15b14f60b2e2daaa5db5aff2d83a10f5737535be2da9312fa7234961a4bb4f9d66979c4789267c2978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
644d6b220ea0c0e7c32f2e4e8ed94087

SHA1
70f3b0cd07b26fed1844370a72e8a149a249fe8c

SHA256
3652885cf57c128615eef303d9df4097f7c977839442e28c334482a0f06fd372

SHA512
96407e1c2ec9a3e3cb3b4d77b42570841f215a5045624787cb74e6f15aec15b0d5be9f15e8e446489c4478ec3565b006a63bf3496ed2e8ba183b609a725f43af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dae952a95f2ec62149f50fd856df3b6

SHA1
452a9d1434d8c1042bf87d19146ed3d50487d743

SHA256
ea29ee289df187cb32437fe6f645f8c1a0670871fa416953c853f3c82a757f59

SHA512
5cc440cf83bb1b53a6aba4cefb45c98c66faae86f720e0be9c5ed063a60d0969e3f9347b78eb6bb355a59fa31fff0172eaa363b82c5cdc203b854b5aa027e76e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b030ba27613f9f87bd0e251b777a3b

SHA1
89ed97b0317c29939f0a994b50fc6faa591d51a1

SHA256
38b00802ee14b2b7117b0be473090d2d349ff0d5c6a4c28adff20893473fe0ea

SHA512
6ea3e260b6c9547f6bcb2565fd7f17d3e0f1c91743ddb678f29992e6ceafcbe76ea00c10edd04fe7bc0c225268fc5940bcce644cedf640a8f4577c5a008bf218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb80ebbcdb5099f6bf434348a9f5e6f7

SHA1
374a4850ba8b9f9a1bf578d8c66bacd4592e670f

SHA256
3f8c0fe9bb427514d269ca439a0842759c75e8a0fdb3b03a285e3c8381d6c1b1

SHA512
202ed47bf7687317d3961f7bde2d309232848840879ee9e819e0d7c8e00b2c897b284d132d4ec85f031076bb8a1069e440971f7f0d05f70e2b79b98792373184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f58b6e4c333a7c219ffb4648acfbb673

SHA1
663b0703148de478ba0e6984445f0ca7b849ca42

SHA256
41cee5e8bc7345dbaf2d168f0fa22b7f6976efce8e4f0d2015b337ddf4ef2727

SHA512
382f534643c0f6e4091d6db38bb9ad16b4692a3da9f923b8d663df0ba85627633c939c16959cf177ed97a9aa19d7879b8a4a81050f4f230e2d7d876f859d9220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccfba3f96468e470cbd9feae9cab7d15

SHA1
c7845dcc05d05ca16030a18198800777a93173f2

SHA256
6507353fe8a40a742e041af348024c61891ec0eff3188948f46efefe67cd799e

SHA512
6cbac6814439e0211f5a9b072e281fa6def6d97b30fee5828a4548a061d0e0afa8ef328c40c20f8575a96018def58f22643ae349a41a56f9a3e950b98aeb3c7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db06c03cdd7364fe2dbd3d8a0748515c

SHA1
6660bdbee9071655fc9a74ef9146f1153e525786

SHA256
1d88328210c1f8abf484b1f90e047d00f9aaf0137322bfbc8ecb1e91cb971ce5

SHA512
09b7675c2b09eac147104c535170f17e82b0e551a5349e16894874a33ed13e0f86d3e01df7d2e12aaaeb3ad2fa9c121c2ea6f5e94d6724d527283c562bd4700f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06c1c74f6b77b0a06c279f9f6182ed45

SHA1
387f7d18f60cbe446aaaaee031ab1cf30db212a8

SHA256
6feb018d0b1c1eb108b07986a6622a7f4bc67bfcd667cef903ac1dc5e4585381

SHA512
54ddfcc1cbd528e7a2b0ad65801c728d08bc5795de671fba7262888970e2717a97d4b530197080d0ca610f9a9b286ac2216c8457a57c0890ac0ff822acfeea7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0f612010e143d5181d6f5175d3ce706

SHA1
aa3eef5a01e911dd6db5c03f6f4a456cc918f1ef

SHA256
a2a1d4a952c8e576b9b8f8ed454a47cf3b30eded441b08f9e3a46503943084d1

SHA512
a6bac922242db3f0b6a17d138a323057b8544166cfe66b90a0540b7ec174cb88bd95e60eb87d824983464ef3eb812344ed23e7b31f7cc36b6297cf5b5538d4f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
380baccf061e22772757a11890621b9b

SHA1
1cbcf450a60dba43176bc07afeb8819009c178be

SHA256
9749429b63bde303257ce431c738d49909cd3080e6502689d36835965985528a

SHA512
82384794e9827c74bcc31efd6e580d6fade816ef9ee41322b3feeeed5111b897bc4625d5a0cff80452e5793a669892c843c4015c8c3473a6fc3c4b271dafab06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fac355eba3044da243aa4e692c141b71

SHA1
a7b83bb9bc27472a160370d75f7d01b09f2fa965

SHA256
6b3b3f3e344464a5eb4e414ef9d8222561f3ecd421672547ef828b9a34d22229

SHA512
7d5a49aa64f62351dfe0fde100cf2663f5d2df1dd854b679be92122f894cda7a93263ce55cd3bbcf497eecfa9f4b257987213a8ddb05ed0db23bbd8005b64bb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4bf00fd8fe74946d8daf5577831089a

SHA1
bacae8580f44468e90b9886bfc8a224908193cc7

SHA256
b6c8459572ad72c610ecc524b6830fee3c5e8d8255b9dd180161f38251acc4f8

SHA512
3046e206b9db859a25412a4f0705a1c2eb5e66fa44127b6318da002ec775772d188ae70bab5a23f7dd96bdb1a303f2e9f9af5558576ee3351fb0a00315ca383d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e5395d5a41bd12f1063e21d6be2d672

SHA1
7062bc3a4176774a1ee53cfa268358eca32fb9b3

SHA256
9e35149781f4a518d2fc63e1831d61ab1076ab219e68081a809a5466d77eb1c0

SHA512
6993a5654ec431b1dcfc36815fb09c89534d6c316fd6360cacfcfb8dc8ff10c4d6069b6745b388dfa7778b8169ba311eb76f3ee8ab4bd896e10c247dce982603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30a712c17e00a69bc0a35fa40630dc8f

SHA1
942670e040c31cbe2ac8889c4fdb0e774aa8b69d

SHA256
799fc0b7c18660446e4b20f58a2fbbc440a2119d44dfe850dde870c4b6112aa3

SHA512
a4cdb0023058220fe2a87621f24ed998342a40920aca934ebef6f1615d20b28480f3b6f58635a71333a3cdd645bea353a51a890601fb343a5464b723f1d36621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
888c0464bdd61d0a98674b559bf64482

SHA1
8c7bc92c62b2433357279086e74e780922b3c8d7

SHA256
ef594dcab3351f5273dd9dfd1245791f9575a2cce0f81747e0e4e6c20bfec20d

SHA512
0a9a7c0772b5281be341b14abc5fe33d136c821e6b1a0994a83f3d31689ffcc6359d46ee2b73d05a1f983d689aac67e120367c87a8ef74cb6ea16ef449f91a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10ae7de298a5462724ee2b088f3932f5

SHA1
ed9b6755581900782e58cf336908f2a69d20d8b4

SHA256
8387976fb596a099370b9b1fca25ffc0ba6cd11bb44c8f75abe2ef06a5453c37

SHA512
63b2f4a4ba9946457f0d1afd78ce47f62c0221337fc05207a88aa816dce75fccce2e00598dc927c645d0c308db6e8e31a1f7a99f904fd403961105ae40e547a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
56af2512874af31b6b29ad3e96d77558

SHA1
3e8e35c7a7dd58a8017dbe3b422c0697707df423

SHA256
148680663405d28af61018e9c336af5a4baad1adce5131c80601390e4eba91c4

SHA512
6ac1a07cfb89eda52f8c7546d89ca3e08178c2d05d9aeb1234a8502e07ccf4291a4baf17ca8096a470b0b1de82ca5245b108a43bb9e11b658cbf3a345b99e1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\QW6UOVJT\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\QW6UOVJT\www.java[1].xml

Filesize
196B

MD5
49950c45aecbe7c1fa3cb0e1950fe226

SHA1
e741d0fe43be2316f9fad9515bf7872bbf65533a

SHA256
4b5db98a4ca9938571416d67cf2c8182bb7ddf5a3289fe72d7e6c5bb8801fe90

SHA512
801d5e37c6811d25b5b3140e5e1d4ae5703deea30bfd5a7d379370872edf6097dd9333378d01c9594f2a07bce0d67722b94fc790885e3b3f346e2ddf91032c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\QW6UOVJT\www.java[1].xml

Filesize
271B

MD5
6f2a4eebca5f02463b124b8f612788ad

SHA1
4cfb9f5a1f358ace8741e99268ad1f480f1b23b2

SHA256
2fdb77defb9977bf9c314392dc29675c5b98f24b0f9b6933ddbe842f019c11b8

SHA512
b59ce325328f89f665b2135f2ebd84a140934f557e7d0b41af16ea2228efdad92c1475a192dfc90edd96123a863472bda90e27ffda5fda2bd8fae16a9c6b8bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
1KB

MD5
777256dbc746bd6e28737de2b844d50e

SHA1
169dcae1078399da0402cb678f31e54babe5e3a2

SHA256
61cf9af0aed446ef178f8c66e02f7008c5b8871c99de64a7390451c312adbc9c

SHA512
d29fb00a83ca9e16cd49e5742f58c135c461e891c482f513bbe53437f736d6e5acbd4f07ffc624dc559626bcc24ba9b2e5aa62f2641fe66f00c8554f84f117d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar29E0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_773eb17f7dba6b359affa8dd353b389f.exe

Filesize
394KB

MD5
60a7450602350b525884fab1ae0df349

SHA1
e0bb4503c385fdf10fb65b84255cf0cd60b81f27

SHA256
c81540d14590f3e70f9db6f6143e795542f9ff622a8f174537b5322c9c266abb

SHA512
fb77c9e3a3ecae9a432aa7536023ba0198ca3f4a19bb9d492b16e726bece757a370b99ab496acab8d2d3b9731992847aa6dabef2ea6e181ff81668bd09faaeaf

Download Submit
memory/1708-87-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3008-86-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads