51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Size

681KB
MD5

1a874e5ecd67dffab45e17e9b730daed
SHA1

8aa9f5d426428ec360229f4cb9f722388f0e535c
SHA256

51b4e69183f3d02124f3314cc64a7869425f053d8021c74c12f21d7c2afe2163
SHA512

0a20b6f3c3816c021d4e5c8e31e1dcf6aa41e511f834ea32a760163006e658acda71704306e0b902a27856ea10401e52bab6a0e44a63ec1db2349747b710ef49
SSDEEP

6144:Jn+EelAZ9fPaGwMILw+xotaLZ1u4IE9Kk/JPXoOgpqm1P:xe6TfPaGw/w+xoWW459KkpXoOz

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

objlib.exeuipdb.exe

pid process

2568 objlib.exe
2588 uipdb.exe
Loads dropped DLL 2 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

pid process

2924 1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924 1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2568	objlib.exe
2588	uipdb.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uipdb.exe1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
File opened (read-only)	\??\O:	uipdb.exe
File opened (read-only)	\??\N:	uipdb.exe
File opened (read-only)	\??\N:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\E:	uipdb.exe
File opened (read-only)	\??\W:	uipdb.exe
File opened (read-only)	\??\S:	uipdb.exe
File opened (read-only)	\??\L:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\X:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\I:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\V:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\T:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\G:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\T:	uipdb.exe
File opened (read-only)	\??\R:	uipdb.exe
File opened (read-only)	\??\M:	uipdb.exe
File opened (read-only)	\??\W:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\R:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\Q:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\U:	uipdb.exe
File opened (read-only)	\??\E:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\J:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\V:	uipdb.exe
File opened (read-only)	\??\Q:	uipdb.exe
File opened (read-only)	\??\Z:	uipdb.exe
File opened (read-only)	\??\Y:	uipdb.exe
File opened (read-only)	\??\X:	uipdb.exe
File opened (read-only)	\??\S:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\O:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\M:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\P:	uipdb.exe
File opened (read-only)	\??\I:	uipdb.exe
File opened (read-only)	\??\J:	uipdb.exe
File opened (read-only)	\??\Z:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\Y:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\U:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\K:	uipdb.exe
File opened (read-only)	\??\G:	uipdb.exe
File opened (read-only)	\??\L:	uipdb.exe
File opened (read-only)	\??\P:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\K:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\H:	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened (read-only)	\??\H:	uipdb.exe

Drops file in System32 directory 9 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exeuipdb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\uipdb.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\uipdb.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Contacts	uipdb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Contacts\desktop.ini	uipdb.exe
File opened for modification	C:\Windows\SysWOW64\apims.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\objlib.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	uipdb.exe
File created	C:\Windows\SysWOW64\apims.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\objlib.exe	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

uipdb.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000	uipdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "2"	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004607000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004608000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e000000010033003200380035003700000000000f800e0000000100330032003800310032000000000010800e0000000100330032003800310033000000000011800e0000000100330032003800310034000000000012800e0000000100330032003800300032000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uipdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	uipdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	uipdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedPropCount = "1"	uipdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\WAB\NamedProps = 0420060000000000c00000000000004604000000000000800e0000000100330032003800350034000000000001800e0000000100330032003800350035000000000002800e0000000100330032003800350036000000000003800e0000000100330032003800350037000000813284c18505d011b29000aa003cf6760b000000000004800e0000000100330032003700360039000000000005800e0000000100330032003700370030000000000006800e0000000100330032003700370031000000000007800e0000000100330032003700370032000000000008800e0000000100330032003700370033000000000009800e000000010033003200370037003400000000000a800e000000010033003200370037003500000000000b800e000000010033003200370037003600000000000c800e000000010033003200370037003700000000000d800e000000010033003200370037003800000000000e800e0000000100330032003700370039000000	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	uipdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips = "0"	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	uipdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	uipdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\WAB	uipdb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

pid	process
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exeuipdb.exe

description	pid	process
Token: SeDebugPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeBackupPrivilege	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
Token: SeDebugPrivilege	2588	uipdb.exe
Token: SeChangeNotifyPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe
Token: SeBackupPrivilege	2588	uipdb.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exeuipdb.exe

pid process

2924 1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
2588 uipdb.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exetaskeng.exe

description	pid	process	target process
PID 2924 wrote to memory of 2568	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	objlib.exe
PID 2924 wrote to memory of 2568	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	objlib.exe
PID 2924 wrote to memory of 2568	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	objlib.exe
PID 2924 wrote to memory of 2568	2924	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe	objlib.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe
PID 2508 wrote to memory of 2588	2508	taskeng.exe	uipdb.exe

outlook_win_path 1 IoCs

Processes:

1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a874e5ecd67dffab45e17e9b730daed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2924

C:\Windows\SysWOW64\objlib.exe
C:\Windows\SysWOW64\objlib.exe /combine local system
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\system32\taskeng.exe
taskeng.exe {CEB8AE87-5235-44A2-823E-5E02C7EFABDF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\uipdb.exe
C:\Windows\SysWOW64\uipdb.exe 2er
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-FFFFFFFF70141501}.pol
Filesize
12B

MD5
c6dccb95c814f1c924dde5ff82d615d2

SHA1
b18518c63144eb6ddbda94b49e43b939218af32b

SHA256
a093940701903ba202a9cd4d11e9adbd951b9209bfd870024085691e3039ee23

SHA512
28f12275cd91fee91229fb4ca874d12f6d1c9a018066ca4574ed829de67feb6833fb33bc162adb99438b82ed1276ba6f774289bed4e5cc6f4266b62695de4be9

Download Submit
C:\Users\Public\Documents\ntuser{4CB43D7F-7EEE-4906-8698-FFFFFFFF80156501}.pol
Filesize
4B

MD5
c2034cd093335ba6a60f16a46465cb4f

SHA1
30ce69605bd949dcb546e5091f6592207411318b

SHA256
194e16917ba83662adf6538df875a7cf807bc19d04926c2a026a7eb629b29c79

SHA512
6d5e1dbab5f23ef07fe661c4004fd158b791796f63e68524c67cd569eb16e27ce6c1d2f91b279ccf10ca3144c55c5f14851796f6463d9b409f38b3b5e3f24742

Download Submit
C:\Windows\SysWOW64\objlib.exe
Filesize
1.4MB

MD5
5f022484183dfed9dac6861e96902453

SHA1
7027f83d639967c3afa776e6edd422f9fc2c090a

SHA256
3b43e5c8c876489591db0f79e0f71809ec44615daf6f74a2eb0ac4cdfdcb63a8

SHA512
ba41cb81ce3d2a40af04528acf3d9f6073b5e7735f440da9b7b740f4918a4d53a8d27c941a8a4960f829e435846a3e2cd026b6f59b85795c7287f9330cf0212b

Download Submit
C:\Windows\SysWOW64\uipdb.exe
Filesize
895KB

MD5
38b32d3f0469afbd07aae19e20df15c9

SHA1
12304fc5632b0c990873b379ceb7888479bbd6da

SHA256
18adf61a048a4027be52858b90a190404ffa1fb36c45ea182d3fd4c5a90f64c2

SHA512
ff96ebc48f7a76fc1a861f62c16bd7b6017c5108aa681bd6e9a1b6e8938d2c7cc71582f717085695f9f745ea24186d905f5a308f7a91af17ced06cae8a451a57

Download Submit
memory/2588-73-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2588-141-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2588-140-0x0000000000AF0000-0x0000000000B4C000-memory.dmp

Filesize
368KB

Download
memory/2588-94-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2588-72-0x0000000000AF0000-0x0000000000B4C000-memory.dmp

Filesize
368KB

Download
memory/2924-34-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download
memory/2924-76-0x0000000002110000-0x000000000216C000-memory.dmp

Filesize
368KB

Download
memory/2924-77-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2924-1-0x0000000002110000-0x000000000216C000-memory.dmp

Filesize
368KB

Download
memory/2924-3-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/2924-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2924-0-0x0000000000400000-0x00000000005AF000-memory.dmp

Filesize
1.7MB

Download