4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Size

15.4MB
MD5

e738e1243e71cbcd9f6347b70e5dc933
SHA1

b6115ff35a837ee88295d7744d632e39e1f85a95
SHA256

4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8
SHA512

a3ff98230574083a193d15e0b77f6c3abb50478b2a7c3e601a5325c4306515ad5d237b1982045fab973e2bbdd8be5456341183293a6d8e3fb1919e1e54886809
SSDEEP

49152:HGiAnGi2Gi2Gi2Gi2Gi2GivGiZGi2Gi2Gi2Gi2Gi2Gi2GihGiZGi2Gi2Gi2Gi2GM:D

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
2764	Tiwi.exe
2716	Tiwi.exe
2540	IExplorer.exe
1888	IExplorer.exe
1636	winlogon.exe
2336	winlogon.exe
1472	imoet.exe
2276	Tiwi.exe
1676	cute.exe
1068	Tiwi.exe
2848	Tiwi.exe
2928	Tiwi.exe
2796	IExplorer.exe
740	IExplorer.exe
2000	IExplorer.exe
1692	IExplorer.exe
2660	winlogon.exe
2572	imoet.exe
2544	winlogon.exe
2452	imoet.exe
2880	imoet.exe
1708	cute.exe
1644	cute.exe
2756	winlogon.exe
2716	winlogon.exe
1940	imoet.exe
1888	cute.exe
1196	Tiwi.exe
1172	imoet.exe
308	cute.exe
2148	IExplorer.exe
2900	cute.exe
1828	winlogon.exe
1324	imoet.exe
2412	cute.exe

Loads dropped DLL 53 IoCs

pid	Process
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
2764	Tiwi.exe
2764	Tiwi.exe
2764	Tiwi.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
2764	Tiwi.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
2764	Tiwi.exe
2764	Tiwi.exe
2764	Tiwi.exe
2764	Tiwi.exe
2540	IExplorer.exe
2540	IExplorer.exe
1636	winlogon.exe
1636	winlogon.exe
1676	cute.exe
1676	cute.exe
1472	imoet.exe
1472	imoet.exe
1472	imoet.exe
1472	imoet.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1636	winlogon.exe
1472	imoet.exe
1636	winlogon.exe
1636	winlogon.exe
1636	winlogon.exe
1636	winlogon.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1676	cute.exe
1676	cute.exe
2540	IExplorer.exe
2540	IExplorer.exe
1676	cute.exe
1676	cute.exe
1472	imoet.exe
1472	imoet.exe
2540	IExplorer.exe
2540	IExplorer.exe
1676	cute.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
2540	IExplorer.exe
2540	IExplorer.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\Q:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\V:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\W:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\T:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\G:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\L:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\R:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\U:	imoet.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\E:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\T:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\L:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\P:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\H:	imoet.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\tiwi.scr	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Control Panel\International\	cute.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2764	Tiwi.exe
1472	imoet.exe
1636	winlogon.exe
2540	IExplorer.exe
1676	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
2764	Tiwi.exe
2716	Tiwi.exe
2540	IExplorer.exe
1888	IExplorer.exe
1636	winlogon.exe
2336	winlogon.exe
1472	imoet.exe
1676	cute.exe
2276	Tiwi.exe
2848	Tiwi.exe
2928	Tiwi.exe
1068	Tiwi.exe
2000	IExplorer.exe
2572	imoet.exe
2660	winlogon.exe
2544	winlogon.exe
2796	IExplorer.exe
2452	imoet.exe
2880	imoet.exe
1708	cute.exe
1644	cute.exe
2756	winlogon.exe
2716	winlogon.exe
1940	imoet.exe
1888	cute.exe
1172	imoet.exe
1196	Tiwi.exe
308	cute.exe
2148	IExplorer.exe
2900	cute.exe
1828	winlogon.exe
1324	imoet.exe
2412	cute.exe
1692	IExplorer.exe
740	IExplorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2764	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	28
PID 1908 wrote to memory of 2764	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	28
PID 1908 wrote to memory of 2764	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	28
PID 1908 wrote to memory of 2764	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	28
PID 2764 wrote to memory of 2716	2764	Tiwi.exe	54
PID 2764 wrote to memory of 2716	2764	Tiwi.exe	54
PID 2764 wrote to memory of 2716	2764	Tiwi.exe	54
PID 2764 wrote to memory of 2716	2764	Tiwi.exe	54
PID 1908 wrote to memory of 2540	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	29
PID 1908 wrote to memory of 2540	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	29
PID 1908 wrote to memory of 2540	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	29
PID 1908 wrote to memory of 2540	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	29
PID 2764 wrote to memory of 1888	2764	Tiwi.exe	56
PID 2764 wrote to memory of 1888	2764	Tiwi.exe	56
PID 2764 wrote to memory of 1888	2764	Tiwi.exe	56
PID 2764 wrote to memory of 1888	2764	Tiwi.exe	56
PID 2764 wrote to memory of 1636	2764	Tiwi.exe	32
PID 2764 wrote to memory of 1636	2764	Tiwi.exe	32
PID 2764 wrote to memory of 1636	2764	Tiwi.exe	32
PID 2764 wrote to memory of 1636	2764	Tiwi.exe	32
PID 1908 wrote to memory of 2336	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2336	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2336	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2336	1908	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	33
PID 2764 wrote to memory of 1472	2764	Tiwi.exe	34
PID 2764 wrote to memory of 1472	2764	Tiwi.exe	34
PID 2764 wrote to memory of 1472	2764	Tiwi.exe	34
PID 2764 wrote to memory of 1472	2764	Tiwi.exe	34
PID 2540 wrote to memory of 2276	2540	IExplorer.exe	35
PID 2540 wrote to memory of 2276	2540	IExplorer.exe	35
PID 2540 wrote to memory of 2276	2540	IExplorer.exe	35
PID 2540 wrote to memory of 2276	2540	IExplorer.exe	35
PID 2764 wrote to memory of 1676	2764	Tiwi.exe	36
PID 2764 wrote to memory of 1676	2764	Tiwi.exe	36
PID 2764 wrote to memory of 1676	2764	Tiwi.exe	36
PID 2764 wrote to memory of 1676	2764	Tiwi.exe	36
PID 1636 wrote to memory of 1068	1636	winlogon.exe	37
PID 1636 wrote to memory of 1068	1636	winlogon.exe	37
PID 1636 wrote to memory of 1068	1636	winlogon.exe	37
PID 1636 wrote to memory of 1068	1636	winlogon.exe	37
PID 1676 wrote to memory of 2848	1676	cute.exe	40
PID 1676 wrote to memory of 2848	1676	cute.exe	40
PID 1676 wrote to memory of 2848	1676	cute.exe	40
PID 1676 wrote to memory of 2848	1676	cute.exe	40
PID 2540 wrote to memory of 2796	2540	IExplorer.exe	39
PID 2540 wrote to memory of 2796	2540	IExplorer.exe	39
PID 2540 wrote to memory of 2796	2540	IExplorer.exe	39
PID 2540 wrote to memory of 2796	2540	IExplorer.exe	39
PID 1636 wrote to memory of 740	1636	winlogon.exe	41
PID 1636 wrote to memory of 740	1636	winlogon.exe	41
PID 1636 wrote to memory of 740	1636	winlogon.exe	41
PID 1636 wrote to memory of 740	1636	winlogon.exe	41
PID 1472 wrote to memory of 2928	1472	imoet.exe	38
PID 1472 wrote to memory of 2928	1472	imoet.exe	38
PID 1472 wrote to memory of 2928	1472	imoet.exe	38
PID 1472 wrote to memory of 2928	1472	imoet.exe	38
PID 1676 wrote to memory of 1692	1676	cute.exe	43
PID 1676 wrote to memory of 1692	1676	cute.exe	43
PID 1676 wrote to memory of 1692	1676	cute.exe	43
PID 1676 wrote to memory of 1692	1676	cute.exe	43
PID 1472 wrote to memory of 2000	1472	imoet.exe	44
PID 1472 wrote to memory of 2000	1472	imoet.exe	44
PID 1472 wrote to memory of 2000	1472	imoet.exe	44
PID 1472 wrote to memory of 2000	1472	imoet.exe	44

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe

C:\Users\Admin\AppData\Local\Temp\e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1908
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2764
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1888
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1636
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1068
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:740
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2544
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2880
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1644
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1472
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2928
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2000
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2660
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2452
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1888
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1676
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2848
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1692
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2756
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1940
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:308
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2540
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1172
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1196
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
15.4MB

MD5
23594ccdbee9e58914c945bfc931c4dc

SHA1
1251632ac980f48fab7bb8bc0c50868fed4d08ca

SHA256
7b90e8dea0cf3f856f6b73b7626b754e6e4b83e81714e4051026b32ee5c5ad40

SHA512
f4b1a4e8ca6940ead34853c89e359624f0ff5173d7c2be8030a495daaae847b0d7c74b4fadd29b8a67db49f2c01810557745db3a6701e12d4a8ba787b52dc314

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
9fca3e22801e7714b82e507e1a1ea937

SHA1
e20dfe28c47b9486620e98769be53cbb81d033b8

SHA256
a15340576d4d8ac52f651d2d72c3a989c022566d9e8970ac6c07c528aea259c3

SHA512
e23af90d64343109cc77d4a33d6567a41dc6c9d684f102eb814dffc6b966baa0651f3960d02d6ac8b7dd234956c7fe5117fd60b9b7e6592350363371cc617c9f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
15.4MB

MD5
781f0530ed8115e4aac76682b7afbb7d

SHA1
00c857295f3059378e21d0f680ba7c8e11471e38

SHA256
a487afe1123a343bee64732084a94420a9e280f33ddd94acaf7f2228c8783141

SHA512
54a3851a6e5eb9fa0517525c8bd03a9f62682bcb4c700fd7ba63110928e123b3df5a0fcea60289a8ea6b6a417ffb2c5ed22173e91f586cdc39e16b2309685141

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
15.4MB

MD5
72500b6a9135e3512b95f02a9eb597fa

SHA1
6b378783699af99a689968b2a1a6f57f3285e958

SHA256
5242355acc913cbdc8170f7f8cbbd07645762dec9ff9796976ceae1eed0be987

SHA512
88a6792921caaa19c261985b66048153dd14ac2c8c234daa366205c52f5c0c6555d86fe6f351ecdfa830f8d819ff73bfb8f22ac7e279b51ba82eee1a113d6128

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
15.4MB

MD5
1b6e3001dcbfbf45a8342197c70ec5c9

SHA1
11f26a04c513969bc4da0ffba90ca4fd5858bffc

SHA256
04c3dd79d127b38030536f5d6efc5dd8cf6c06172d3df6f18b95620e1d57528c

SHA512
1e87e684ef4479e417c2dc21a935f88cecec2b92efbd050a78689dfe7ae07c6f62ef774d21166d33b086747868ed9004e0843cffcef9329d88b3b576b12ba2ab

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
8dc389e3c24ee192ef308b9ee3669dbc

SHA1
c3500f67f0bf258281674e8f754b620c858e8863

SHA256
08eb2951828805de4a2b8786f491cb84060aea4e26d90c9185e0bae96c4ecba3

SHA512
730330daca2d5ad3bc7d9feb2ece45bd4920715826318cb7bda4375543e4f161eb2cd1b5074683ed7d93189b63ae7dc91017b47d575826f013a05c868d68f90a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
f0b28cc279ece5272bb0c44156053d26

SHA1
35aea33c57ba7a3862d55c7b0fd643abac22dc40

SHA256
301f4a0288c0764cc22b35073b624aff9dfe30fb5bf7c0aa5848b45bef0582a4

SHA512
adac83cf104cd1b19f9c99126ac8f9e42acb8173e8302e0b62c41d994437b54df91e0ecebd38ddc5a770500de351e31f9055d2c34ce8ef6686de4346becb4f34

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
64589c3b37f4cad7cbb0558445675a4d

SHA1
2b86a6299fcc5a02cf797de8c076aab3a781a2d6

SHA256
53015172999853948ed8993780878864d72a6b79b18f1956c50844e111c65503

SHA512
a7eaf889fcb54e83373bea17986c5efcbc2e7f77aeb23fdccc2bea3e4b05a90d0d1a0fd7ee5e9d93a591270ff8188dc7e31fa8e8882ef3338f97def05708fbc3

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
15.4MB

MD5
0b2bd953dc42aff80cac26c724198b1e

SHA1
f9a237323563b222f3f87492df8fd20e14d880ce

SHA256
784361b33d8df4b7c30a15968dd0e8eb66400d75e5943704b4b5e9be2ec7bc9c

SHA512
67237c3cc843dc1325d15a75434a7b688fa742f9558235c610f9a8711c5b6080f9b0032d965d66c06e9c4ac9d8ddbd9f32b27abef3bc783427d7c65da92f95f5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
15.4MB

MD5
e738e1243e71cbcd9f6347b70e5dc933

SHA1
b6115ff35a837ee88295d7744d632e39e1f85a95

SHA256
4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8

SHA512
a3ff98230574083a193d15e0b77f6c3abb50478b2a7c3e601a5325c4306515ad5d237b1982045fab973e2bbdd8be5456341183293a6d8e3fb1919e1e54886809

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
15.4MB

MD5
85dc09eb6e5e82e678cbc09aeab3a965

SHA1
a498225786a26f57af27a141697015d707098ebb

SHA256
2763d04b9dccea6936bfc7fabce73d387d6911d9d6044a32a4bda999c50f33d4

SHA512
13506bd7e9a948bd1d26810bf00a932c4797477566158336af85ab21a08c77a75503c3380c66560a52568c7e68dd48ef06d9bdd5be6049ab2ac92b7924a9c84f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
15.4MB

MD5
5cf19484fa006aaf0afceebc2addef75

SHA1
464adca116f93d7a8498ce52bdad3f8e8ae94592

SHA256
a370c28077a1b0d187ddb816c4bcc7622473c00e707c73791359fa51a39f9418

SHA512
faef1dd97a0716185564e5c73a5f2a66c47a62330caeede5f7d9e8d5acd3f8f6567d891923887da17b6d35faa180196b07fe419fd907b4f3a0b54fd5b4e2110c

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
15.4MB

MD5
63a063501b149bcb5aac952b49a8ab1c

SHA1
2fa6ed4a8f037051fe891ed57317722f7f5a36b1

SHA256
0819ac539af808ff10dfd0f203fb47371cf87f8d2b4c57826a98b86a47fe807c

SHA512
8b5a2ef77d77c5d54e1e588eeadb5b7bf86688037865d6e05720695593b1c6a7c424f8f324d22a2a76dccbbc2abc1fee5c200ea4ba00370b056167dd5735875b

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
15.4MB

MD5
34d92aa52c2ee215a9ee983dff436240

SHA1
689bf7df174ac43a5513f463ae1f084fa1943e25

SHA256
86e6aceabed8c4ba72bc29547ec104debb0f8d671aa00f0250a961f1903a39a0

SHA512
d63be78161230de1a4f684942743d23f4e32367cab9a980b80687be011c115d1eede08931072dae89f474c267c67f486a8dd6ecedbb30651c8ae4966a971d500

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
15.4MB

MD5
af28b3d7c0c00cc1fdbd00eebeb065bb

SHA1
0f48a66bc09d48dd2462e7701403174f07f1d8a3

SHA256
9e7248ddf818f1c1e6311c8e2e6ef8151019a59ae74786c6b188f5f7fadcf79c

SHA512
9bb35295d71f504b977bd1be1d49ddf878e430b512e17ce9b479d941ce6749ea9f9e10326ee6c71bdf8652845b96467d054e3ab6a439e83cc35a4ee9d86d414c

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
14.0MB

MD5
92343398efac92e2016ae30c224d033d

SHA1
54eaef09f4e2f75f8f99202611004ac204575de2

SHA256
91c4e6845c78768c261d390414371ef29e1629ef8eff1ba222dd4bb27f968c92

SHA512
ba0528dfeddd2697affe4996d03ab95809397a8419b12b1bfa60f9c4b0fcf6f1862087b30b5e4526516190fd285eb9c63cb10d7c543646509fc12a35a90d8518

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
1.1MB

MD5
0225058c48f3124a643fc58f1f552400

SHA1
53f3f0c1a9795a3ebb54837183401a504b247cbe

SHA256
d0615ae67298daeaeb91b8a37f88c7924fedc741d88be46c4ce1cf23b392dae8

SHA512
278fbfac4df42b571679eed9b4d607ac43265a886f3cec57f1260b1eaea452b47ccb6ee684bd96df76f2a44d806cf1c440702621e9d985c2279059a065fa37f3

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
15.4MB

MD5
5ebcdbc9f486cd6a52decd3e2874845a

SHA1
8dbecff3d26eede35cac52b544c7c66567a85f65

SHA256
47fcb25177a178d920beb4a90a6f10f697d21a5c90832857bfafb508cafdf65a

SHA512
a96a2df873ed83932e4e9891c7b643c70b35f13c519bbfea749363594e133f9cbc1ee87337f9a8f17e88a8425a1b7d8f210c0783232dd47f9a68b33af8565812

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\tiwi.exe

Filesize
15.4MB

MD5
3f7fc1ef2fc894f97b427db6f7ac6666

SHA1
33c4e34633293b78e5877f6ea120d1528f6e2349

SHA256
3463cad7e4af27bb6aa4326dd0f6a52733a1524c21dff27e813cc9f6965079df

SHA512
eea090bee66353314c113047729761cdec21e815f070ddf65a2dee2cf2a0ad12ba45a5041ce631ec07f1be080d743e59c2dd077c901e11c362cb1c660379465e

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
15.4MB

MD5
a60594837837d932de6e0b9b0dbf9e2e

SHA1
775699a4b4bf7acbd2c79dfaa5e349e6b233a812

SHA256
49898d3f981f7ea8ca766894d426e3c089b0e6c29f9110ce69283ac1e903228a

SHA512
da833364c76ad52330552336ddcc24b572566df5929bbbe1b2dd468862993ab94a7cdf6942c480d35fb144ef3bbcd57df897a6824f9cde60481f0ac35ddb44f5

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
15.4MB

MD5
df121465a87aae856df9467c7a677513

SHA1
3dfb56f084084de08b53f43648e0ab72dfacfa3e

SHA256
0605c8c270f8dadadcbd948f1d062ca9955ac510b0f63ed323a309e44a12ec9e

SHA512
9fbd696f86ef575911dcef3cd5271c793fdf32846a04375d724fefadd2db48b30a413e29dee2408eb47956fd3d9359f73dd0a1f7b0af7c9b0fe8fbf7cf730623

Download Submit
memory/308-440-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/308-426-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1068-361-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1068-307-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1172-427-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1172-424-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1196-431-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1196-420-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1324-462-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1472-287-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1472-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1636-371-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1636-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1636-142-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-370-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1676-379-0x0000000000500000-0x000000000052B000-memory.dmp

Filesize
172KB

Download
memory/1676-425-0x0000000000500000-0x000000000052B000-memory.dmp

Filesize
172KB

Download
memory/1676-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1692-493-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1692-322-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-358-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1708-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1828-452-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-127-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-131-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1888-383-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-457-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/1908-414-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-451-0x0000000000320000-0x000000000034B000-memory.dmp

Filesize
172KB

Download
memory/1908-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-62-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/1908-159-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-428-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/1908-57-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/1908-116-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/1908-66-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/1908-467-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-418-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1940-380-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2000-314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2148-438-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-292-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2276-444-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2336-208-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2452-348-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2452-374-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2540-365-0x0000000002E20000-0x0000000002E4B000-memory.dmp

Filesize
172KB

Download
memory/2540-212-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2544-337-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2544-339-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-329-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2572-326-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2660-340-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-369-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-368-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2716-120-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2756-375-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-346-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-327-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-192-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2764-135-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-124-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-366-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-119-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-146-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2764-321-0x0000000000650000-0x000000000067B000-memory.dmp

Filesize
172KB

Download
memory/2796-357-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2848-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2880-350-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2900-443-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2928-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download