4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Size

15.4MB
MD5

e738e1243e71cbcd9f6347b70e5dc933
SHA1

b6115ff35a837ee88295d7744d632e39e1f85a95
SHA256

4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8
SHA512

a3ff98230574083a193d15e0b77f6c3abb50478b2a7c3e601a5325c4306515ad5d237b1982045fab973e2bbdd8be5456341183293a6d8e3fb1919e1e54886809
SSDEEP

49152:HGiAnGi2Gi2Gi2Gi2Gi2GivGiZGi2Gi2Gi2Gi2Gi2Gi2GihGiZGi2Gi2Gi2Gi2GM:D

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 35 IoCs

pid	Process
3888	Tiwi.exe
4068	IExplorer.exe
2356	winlogon.exe
2368	Tiwi.exe
224	IExplorer.exe
4844	Tiwi.exe
2664	winlogon.exe
4308	IExplorer.exe
1640	winlogon.exe
4564	imoet.exe
2028	imoet.exe
1216	cute.exe
3964	cute.exe
1172	Tiwi.exe
1380	IExplorer.exe
4364	winlogon.exe
1908	imoet.exe
4296	cute.exe
2204	Tiwi.exe
4996	IExplorer.exe
4772	winlogon.exe
3224	imoet.exe
2668	cute.exe
3228	imoet.exe
1768	cute.exe
3924	Tiwi.exe
4556	IExplorer.exe
932	winlogon.exe
3728	imoet.exe
3384	cute.exe
1064	Tiwi.exe
756	IExplorer.exe
1596	winlogon.exe
2584	imoet.exe
2176	cute.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	Tiwi.exe
4844	Tiwi.exe
1172	Tiwi.exe
2204	Tiwi.exe
3924	Tiwi.exe
1064	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\U:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\V:	cute.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\V:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\Z:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\Q:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\I:	cute.exe
File opened (read-only)	\??\M:	cute.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\P:	Tiwi.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\K:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\X:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\Y:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\P:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\B:	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\U:	Tiwi.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\Q:	Tiwi.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	IExplorer.exe

Drops file in System32 directory 40 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\tiwi.scr	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
3888	Tiwi.exe
4564	imoet.exe
2356	winlogon.exe
4068	IExplorer.exe
1216	cute.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
3888	Tiwi.exe
4068	IExplorer.exe
2356	winlogon.exe
2368	Tiwi.exe
224	IExplorer.exe
4844	Tiwi.exe
2664	winlogon.exe
4308	IExplorer.exe
1640	winlogon.exe
4564	imoet.exe
2028	imoet.exe
1216	cute.exe
3964	cute.exe
1172	Tiwi.exe
1380	IExplorer.exe
4364	winlogon.exe
1908	imoet.exe
4296	cute.exe
2204	Tiwi.exe
4996	IExplorer.exe
4772	winlogon.exe
3224	imoet.exe
2668	cute.exe
3228	imoet.exe
1768	cute.exe
3924	Tiwi.exe
4556	IExplorer.exe
932	winlogon.exe
3728	imoet.exe
3384	cute.exe
1064	Tiwi.exe
756	IExplorer.exe
1596	winlogon.exe
2584	imoet.exe
2176	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3888	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	88
PID 4368 wrote to memory of 3888	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	88
PID 4368 wrote to memory of 3888	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	88
PID 4368 wrote to memory of 4068	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	89
PID 4368 wrote to memory of 4068	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	89
PID 4368 wrote to memory of 4068	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	89
PID 4368 wrote to memory of 2356	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	90
PID 4368 wrote to memory of 2356	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	90
PID 4368 wrote to memory of 2356	4368	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe	90
PID 3888 wrote to memory of 2368	3888	Tiwi.exe	91
PID 3888 wrote to memory of 2368	3888	Tiwi.exe	91
PID 3888 wrote to memory of 2368	3888	Tiwi.exe	91
PID 3888 wrote to memory of 224	3888	Tiwi.exe	92
PID 3888 wrote to memory of 224	3888	Tiwi.exe	92
PID 3888 wrote to memory of 224	3888	Tiwi.exe	92
PID 4068 wrote to memory of 4844	4068	IExplorer.exe	93
PID 4068 wrote to memory of 4844	4068	IExplorer.exe	93
PID 4068 wrote to memory of 4844	4068	IExplorer.exe	93
PID 3888 wrote to memory of 2664	3888	Tiwi.exe	94
PID 3888 wrote to memory of 2664	3888	Tiwi.exe	94
PID 3888 wrote to memory of 2664	3888	Tiwi.exe	94
PID 4068 wrote to memory of 4308	4068	IExplorer.exe	95
PID 4068 wrote to memory of 4308	4068	IExplorer.exe	95
PID 4068 wrote to memory of 4308	4068	IExplorer.exe	95
PID 4068 wrote to memory of 1640	4068	IExplorer.exe	97
PID 4068 wrote to memory of 1640	4068	IExplorer.exe	97
PID 4068 wrote to memory of 1640	4068	IExplorer.exe	97
PID 3888 wrote to memory of 4564	3888	Tiwi.exe	96
PID 3888 wrote to memory of 4564	3888	Tiwi.exe	96
PID 3888 wrote to memory of 4564	3888	Tiwi.exe	96
PID 4068 wrote to memory of 2028	4068	IExplorer.exe	98
PID 4068 wrote to memory of 2028	4068	IExplorer.exe	98
PID 4068 wrote to memory of 2028	4068	IExplorer.exe	98
PID 4068 wrote to memory of 1216	4068	IExplorer.exe	99
PID 4068 wrote to memory of 1216	4068	IExplorer.exe	99
PID 4068 wrote to memory of 1216	4068	IExplorer.exe	99
PID 3888 wrote to memory of 3964	3888	Tiwi.exe	100
PID 3888 wrote to memory of 3964	3888	Tiwi.exe	100
PID 3888 wrote to memory of 3964	3888	Tiwi.exe	100
PID 4564 wrote to memory of 1172	4564	imoet.exe	101
PID 4564 wrote to memory of 1172	4564	imoet.exe	101
PID 4564 wrote to memory of 1172	4564	imoet.exe	101
PID 4564 wrote to memory of 1380	4564	imoet.exe	102
PID 4564 wrote to memory of 1380	4564	imoet.exe	102
PID 4564 wrote to memory of 1380	4564	imoet.exe	102
PID 4564 wrote to memory of 4364	4564	imoet.exe	103
PID 4564 wrote to memory of 4364	4564	imoet.exe	103
PID 4564 wrote to memory of 4364	4564	imoet.exe	103
PID 4564 wrote to memory of 1908	4564	imoet.exe	104
PID 4564 wrote to memory of 1908	4564	imoet.exe	104
PID 4564 wrote to memory of 1908	4564	imoet.exe	104
PID 4564 wrote to memory of 4296	4564	imoet.exe	105
PID 4564 wrote to memory of 4296	4564	imoet.exe	105
PID 4564 wrote to memory of 4296	4564	imoet.exe	105
PID 1216 wrote to memory of 2204	1216	cute.exe	106
PID 1216 wrote to memory of 2204	1216	cute.exe	106
PID 1216 wrote to memory of 2204	1216	cute.exe	106
PID 1216 wrote to memory of 4996	1216	cute.exe	107
PID 1216 wrote to memory of 4996	1216	cute.exe	107
PID 1216 wrote to memory of 4996	1216	cute.exe	107
PID 1216 wrote to memory of 4772	1216	cute.exe	108
PID 1216 wrote to memory of 4772	1216	cute.exe	108
PID 1216 wrote to memory of 4772	1216	cute.exe	108
PID 1216 wrote to memory of 3224	1216	cute.exe	109

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e738e1243e71cbcd9f6347b70e5dc933_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4368
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3888
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:224
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4564
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1172
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1380
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4364
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1908
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4296
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3964
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4068
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4844
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4308
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1216
  - - C:\Windows\Tiwi.exe
      C:\Windows\Tiwi.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2204
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4996
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4772
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3224
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2668
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2356
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1064
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:756
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3228
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3924
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4556
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:932
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Tiwi.exe

Filesize
15.4MB

MD5
54fc4776311f9a0ce5f13c73ffd0e4f1

SHA1
8d04aba528102962d1423cc0df227ee917d18717

SHA256
8541ff24c27d3c88fe4666f60bd03af71bf61bd1611ea853fbdb2c9345b7ddf5

SHA512
69983759fd7b427bc75f6e92807d3ec4590e6278b8552ce9de8067f98a84d8a1a0d54884b1145b56ae72cb60b1708c20ac15fe6f2d9f9fb2a84e6b358984dc90

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
1195739d93bb5664d45861c6c930a31f

SHA1
efbe325fa8380e21e547a1568d334c90eceebd28

SHA256
2c9b30b1a99cb47b23bb25ec6f3c6cb24c53c25695aa61a5cbaa0349ddd11ba9

SHA512
d97da1d33bfb723c3014abfce897ade897b1ccebf3913b41231596f0a93bb921cf3514b2baa6878443528bbe6a6a01713cb59fcca3428cf70dfce6464fa56e76

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
15.4MB

MD5
591b67430b5614ba927fdeeffe0b86c1

SHA1
da4f32524579921fbd7d4ec5d63409754a60df03

SHA256
2289acbeea06bea49e0e8ddfc05e4441b185492d67f88388f30c9c735e868c11

SHA512
4495398032a590e55bac9edcc925f35b0fa4f817508ca1f1451468762a095d3217b2826bba4dd1f9ed1692e58c86ea0a698c0c6cc9ac7684e649c5865d762f5d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe

Filesize
15.4MB

MD5
f6bda1daf4d32cde517e84399b9f5454

SHA1
e6883e204de10e34a57e24275baaf8440b0ce561

SHA256
56f640269ae0621acd5755914e645027e12aa583734ee71d3a6a22f454f390b9

SHA512
b9df052e3e1bc5d28095ed6d17fa9764858f15c89bf74f5350e7bd75011a9c0f9cc5272de74b1fa64850504561c8ff14cea88556993bb2c629de378028d3c6d4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe

Filesize
15.4MB

MD5
7070484b7e17609023ad71810d3bdbba

SHA1
f1b8da3e61fedb36a7aa40c35bcb87e80ea3efd8

SHA256
07d50e5787492114f44b917dd9a7a722c42f29072a70ea6e352292642be75279

SHA512
c8823b49af78327b44bad5cc16023fea4e0588739932abfb6a73357b4f11e27824cbbc18b3dc4b14ff59d8b7189dcdc8e05ef08ea296f7760babe32fdb285719

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
869e52c3ae5ee3d668d86a309a0e5abf

SHA1
9515d008e66912fd12195d44a6b900ba7c79bca6

SHA256
41ad5882f431ce2c2edaf266828f6216cbac39b50a844bdf70c7d435605174ca

SHA512
98e962e418ce8ba0236014b14edd16a77050f857bc1d953fe18f95bd1709e82062b5371c6da9642952950c8249b0819ddd0f5252e4ff97010a75d58c36570f89

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
4c7345edcefadd92e3ec3e1f38bd0ca7

SHA1
7d2df858c1ad4364013ecf61d05fac241e3a16df

SHA256
6244a5b4704cdf6e7e1e10cb812eddaf0292bf658f632bd9d3c36143a33f8cf7

SHA512
7f3f64c863c1d6115537d577b85267812f043e8eaee24f60c85e95538808f431e662762780a754a6599e022fb43b6c15b7fabfca99278df524d9a32a4ef6f2ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
15.4MB

MD5
e738e1243e71cbcd9f6347b70e5dc933

SHA1
b6115ff35a837ee88295d7744d632e39e1f85a95

SHA256
4164367730113174b4dbffd025494bac125911a2b07c898759df585f1dfa09b8

SHA512
a3ff98230574083a193d15e0b77f6c3abb50478b2a7c3e601a5325c4306515ad5d237b1982045fab973e2bbdd8be5456341183293a6d8e3fb1919e1e54886809

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

Filesize
15.4MB

MD5
9312b87e23f571c3222078b1ec89fcd2

SHA1
48a31e01ea9fa6c5d35926d3e18b3e450ed5a01f

SHA256
317fbdc7316d1743e2dfd1c062be7fe5f03e40a00c19a2179aba0613368d9934

SHA512
5e50a212cd6aeeb02c3836c477ff00a51760c0c14ca79920e39c30cc0ca2727f4e59f0d2fbab52473d68a3754806334340ffcda1611f444a87c862dc1256a608

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
15.4MB

MD5
45e25830525108cd0600baf5f36040ec

SHA1
cb71fe70897fb524b870aa8cadb0ceddbf39e1e8

SHA256
d3424e768221b62b4c10f6c79a36e1cd503fda9d5fefb2039f2cf35e41c972e6

SHA512
d683ff7058f3ef65fad1764bbbbe0856aa3a061d6be7419a5fee7607de103755614a190aa0697d821ebee27f40aa47eea3aa2d672c559930b041d7d68b85c96b

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
15.4MB

MD5
c4ae1b01d54759199a36c95600478a86

SHA1
1885dd6f668b4556c50a51e9d73d2d87eff071b3

SHA256
ec458cdf3132f922340d51b9932956e5023f39d591dc723a5fce10381e935326

SHA512
8867e2641bf783fa9259733cd9033c749d023608e65bc09154275ea9655875a37d543f67f20b1e26bfe3ec57b4e11e3faa66e3474f70d6a24cca74ca43f1a85a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
15.4MB

MD5
6222040d8374fc09b18935a7d291648b

SHA1
4df2850e44f07d72ba39c3d9d976e3d4ea6fde06

SHA256
b26d55e2cf4c4d10ba866c9b7dff8a2757af7cb26bcd49bed10f9bba4c14d909

SHA512
cfac9eda62b71b619951776b11dafa6b574139d029f551a535f6ada7da78d9efa0cae278b3b648fbc8f1bc0a0ba3503766f928aff6b8eac2164437ca58844ea1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
15.4MB

MD5
2d52b6974215d2616f288cd7cc2e5fdf

SHA1
06cac4c79be42e2cadad947391f7c0f4c2c85e66

SHA256
7dc4cec5a7e5fc66906acf16c9c167239bbb5360397e6d7bd9fd3ea8619775af

SHA512
e45e4aaa2b483f7c5fd8192d8c34bb2894843aacd53857bc33b00fb127ee41a47397cc8d9bff89ff85417e63dc84aebb7481d574fef8e39960cc6e6c86b591e2

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
15.4MB

MD5
2ad095d2f1d424883d92ef6b50abc58b

SHA1
a735a52019771a0149991a91811ad7578548b653

SHA256
a32e8ead578fb14001a997d3c10d327c07ec31d488b35b9228223c1e6a47922f

SHA512
03f6bcccc4cc61b6d52a6831a58bfa79c3f52f09ea955d5463961c881658e9d2d7425234c0ad1d52f65d115085683c114e345a83f308b9171b160059972a8a3d

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
2.2MB

MD5
f0bf43672fef70417080fe45f609ec14

SHA1
4570b9d46a03f9e3186837a6d804214cdf6fd016

SHA256
af883e205cf7a5b8554fc2f0a583d5ea0b819ff83cef2480c9b3ab5c81050ba9

SHA512
6f60dd907f738d9f8e7e752740149f2251b5f9ff2ed0cc14d84972e0e18f065a00e44a404f7a142193ff8de5c3006f66da7470cd4634d2e92a1cf940653a9a49

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
15.4MB

MD5
1dc0914fb9e55360bcb0bf42aa758c0a

SHA1
b73da374e31c9f7945c4aeeef44214560868b23a

SHA256
498655de12ca2ad0f92bf09edd51953ab6bd2f7aa7a91513273970b70dc5d41c

SHA512
1cf4a71db07088f0db89e3c4040c6a7e9092635f8c54cb02f875776d2ce01cb24ac83e6d63d26bc0a09b7bab755c274e8b683f663f04490952dc38471195b0e1

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
15.4MB

MD5
70f8cd235e8eb7847c8907fba40a4864

SHA1
5a081d79cf32403d8af793a755bf1edd44060b7d

SHA256
1b447bdd2993b87c0af12f41aef1b989ec35f677bc4646603adb33b37aed722e

SHA512
66f4e1be4ed21d2e836d7afa2f3cb6bc81bf60d74febd4abc3d1f3ec105a53be3af57ca1c332b0063fa173e7830ccf0914dd9e71a4f37b6831f80bb11d8357a5

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
15.4MB

MD5
4bbc80eb7b79f7a2c37f9adb4768ac72

SHA1
b19127d71f190120a6ff8d42fab047287ddbab59

SHA256
38999604f4d619b98eac25954f8850d33dbbd1d78c3ba38563c2108c116149b6

SHA512
a9fe54dc2eab789bfe6073866203a24cf37a2661b97a0f2e803355fd0ba4d7a684ffb32ca7547856eb844111e2d91aa4645e642f7e5f498544bcc6c59b39227d

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
1.2MB

MD5
3f874d5ffae4bc221bbe43cf977d3b63

SHA1
03ee1272c8ee31b7495de5d0fd19fd20ace32376

SHA256
902393c169df7303130193eba7ccd1d7416a8ae4cf8318aa22fb93148bcf7623

SHA512
e7077454da58483737ef4fd3be142e550d9e93b40a172a629cb9fea5dc4fdbec83c28eaa37cc904cdbe3f5242e261be49635c7f876ddf8f12b969144fceea59c

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
15.4MB

MD5
ea34c54640091eae2cb44b1133295778

SHA1
de2883ca46eeb8f8c333e959dcdb6cd96eeb9f93

SHA256
7a04e9148467e050c5637247d8d2432765eaf22be4c067cdff90e9239f122329

SHA512
d7ea6cbed5a0be346a033cf2bc80b12568032ed04e995236928b84fe47ff3bae455a6b617e514ed9debb2522e6cff77bd769f2014361c95ca969e0036e0857b8

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\tiwi.exe

Filesize
15.4MB

MD5
3bb6fe149bd373c9e4d76bfc1cf4400f

SHA1
d6f8d346d122560791b063a26577bed9b837528d

SHA256
74478a45355ab8d7957e65b3399fc477472b1c6c23ebcc1d6de1199dc92d0cf7

SHA512
1f7c1033eeeb74d0b74072e4ca5da12feefaa165414288f0ac88e2e5aa189a5f8b8714c1187d21940cd7ee82a4ee4480abfa529d4eee79f53ce849a8a98395e3

Download Submit
C:\tiwi.exe

Filesize
15.4MB

MD5
9782f236eabac8dbe944dc2117134587

SHA1
053ec58835321f69c7c63f5d353b9f7f5e057dfb

SHA256
68ae0395b92298f0b6c22cd6f0bfb0270e837b9eda7cbdd2087e657bace82249

SHA512
745e533c6aba69391514215ce69cbdc4986a13d0f021f6f250c61fa52bd2f6cbab2cfe5351c3ed32ae7d396d3f026ec8d42b7310f50e6c27c2eb016165363ab1

Download Submit
C:\tiwi.exe

Filesize
15.4MB

MD5
81d65b87e4d2575d08e5125bff876da4

SHA1
d1d3176116f4be5d8674c7aac9c3b8c21d2df378

SHA256
c658acdcc5d02aced3629d387892faf067e3c5c70c27e8ee6305312ff8dfbf09

SHA512
d4c2e6ef38469c883d4a49190a4797badf643fe93adecd3ba38da3d675e0edfefde0eb563ee770152049a6716a4d3c0f80af048e7a68e3011457bcf2b40edac9

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
F:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
memory/224-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/756-391-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/756-387-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/932-351-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/932-356-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1064-386-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1064-381-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1172-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1216-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1380-239-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-392-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1596-395-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1640-163-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1768-309-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1768-306-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1908-248-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2028-167-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2176-401-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2204-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-388-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-406-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2356-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2368-134-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2584-398-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2664-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2668-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-277-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3228-305-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3228-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3384-382-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3888-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3888-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3924-343-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3924-346-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3964-174-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-62-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4068-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4296-253-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4308-156-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4364-245-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-383-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4368-358-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4556-347-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4556-350-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4564-285-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4772-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4844-151-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4996-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download