34350f98e5d792b9c822833127f6fc464f62225f960b27e9732cc033c0d22592

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
Size

250KB
MD5

f6fc33d78500122206be99a7a01995a3
SHA1

d75c269fea5e64e347236ccd403944c5f8e730bf
SHA256

34350f98e5d792b9c822833127f6fc464f62225f960b27e9732cc033c0d22592
SHA512

26968feec0ed412af72705494fc0d89097cc9945f78f6f3ade8fd1636251d6f006e76a67b32f52ddc7c21c7b52c6510d8931c373fff5d3668d1c59cbf783bd9b
SSDEEP

6144:JZt5xZt53Zt53Zt5xZt53Zt53Zt53Zt53Zt5/:Jrttrttttd

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Win32.crAcker.A = "C:\\Windows\\system32\\crAcker.exe"	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\authui.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\eudcedit.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\imagesp1.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140u.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_20932.NLS	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iscsied.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDINKAN.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NAPHLPR.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\napipsec.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\networkmap.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0007.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\shgina.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\VBICodec.ax	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\bopomofo.uce	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_949.NLS	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mfcsubs.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\nlmsprep.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\vssadmin.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\AudioSes.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cryptnet.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iscsicli.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\scrnsave.scr	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wups.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_20277.NLS	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\defaultlocationcpl.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iesetup.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\imageres.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDMAC.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\msclmd.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcp140.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\netshell.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Robocopy.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\AzSqlExt.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_1361.NLS	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\p2pnetsh.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\raserver.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0010.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\noise.kor	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_1258.NLS	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDFC.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDPL.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Magnification.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140esn.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mfplat.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\RstrtMgr.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\setupcln.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\bitsprx2.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\fdBthProxy.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\irprops.cpl	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\tsgqec.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wscproxystub.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\powercfg.cpl	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Ribbons.scr	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\secproc_ssp.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcamp110.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wecutil.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\AUDIOKSE.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\certmgr.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\kbd101a.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDTH3.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mprdim.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0003.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\onexui.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\kanji_2.uce	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\mib.bin	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setupact.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\explorer.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\fveupdate.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\HelpPane.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Starter.xml	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\twain.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\win.ini	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\splwow64.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_16.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\bfsvc.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_32.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e588f9ce7ce2324893c7eea585695f5e00000000020000000000106600000001000020000000a075174c2c208f7d66e006691110abed9320501baca286aaf7b5cf8e0ff51346000000000e80000000020000200000007bded77ddcb9d4b0df2bd9e6b377949ac63a6ed6df6bef2c501565f2a4b8dd2b90000000a86bd896256769b0c8778f168b2a514cba41c873a8bb451a1967e6a255a2fbc5f0635a14280e4508342dc5f69f0456dfc0196a7a6fa2f8bd1364e8bb4a8b6c024fe006c81f17c132c1fa7adb8b7f443c1894b588cee53609c7fb40c7b92743c4d780e166fdec29b274a69b134021ce4f4044367e4f9cf8f1d5e64ac9fe0bd6a109fbb3861f79e39f793b414f9d7dfd5c400000003a79cc246106d55c8c33d35d009af9b9b2d8a05439cb74d9c489b1c21a7a2781b150db278072a728660d53556e442ee89a386446783d7c4696d6e19a4c8fe97a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8036d26b2f91da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96ACF201-FD22-11EE-BDEB-D6E40795ECBF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e588f9ce7ce2324893c7eea585695f5e0000000002000000000010660000000100002000000050bb192828a3ddda60521d0f2d0c7b5b285b0c3f7d6d35b9506ce561aa52cc93000000000e80000000020000200000002cf6615bf9e719b25ea4adbe954c3ca8cda99ea500363c6f543a69af9325a3462000000056520523f417ec2f65b673686f826001dd2a64092a25b149c7f1060ef1f568d440000000acf1dbb3f964e0227ca2c23113c661daeb5119987ff5ef0ee237f15c6ad8ff00610a979836f903eba2e797ba4bc38bcc7b9a07f6066110b600ca4b65f0c84a00	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419565417"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
452	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
452	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
452	iexplore.exe
452	iexplore.exe
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
1544	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 452	2188	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	30
PID 2188 wrote to memory of 452	2188	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	30
PID 2188 wrote to memory of 452	2188	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	30
PID 2188 wrote to memory of 452	2188	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	30
PID 452 wrote to memory of 1544	452	iexplore.exe	32
PID 452 wrote to memory of 1544	452	iexplore.exe	32
PID 452 wrote to memory of 1544	452	iexplore.exe	32
PID 452 wrote to memory of 1544	452	iexplore.exe	32
PID 452 wrote to memory of 2776	452	iexplore.exe	34
PID 452 wrote to memory of 2776	452	iexplore.exe	34
PID 452 wrote to memory of 2776	452	iexplore.exe	34
PID 452 wrote to memory of 2776	452	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:996363 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ad64227334a2d03f8e528483ae85b939

SHA1
3e60bfedecf942e589ba377628dda45a2d4b0d8b

SHA256
2f982be0bd560a0fb9686f9ca9afdbc707f3a7cbce5e2ce516b537edd115fae6

SHA512
df2054e4fce898d6b856f8d23f66132d668293cffcb84053c499a37e5036e92a0ec407a73d4735f7260b323c25a576f391022fa17c06e8b1d0ee448ba15be871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0ef492feb3074c831d44a1993992780

SHA1
eb577fc55bd30900a01ca9c7fb33b45f525e3bc8

SHA256
f126828722d0eac097592766fb0d105e29e761821368fa1a497296954caa5154

SHA512
38620449c5e03c8df7fdd81585773a0ff519e391285742c50963fcc7533e931fb1073b64e2121e4f38d12be47a9121edf37d972ff02e38da4422246dd9bb6e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f98e9ce85aafc55c6980bb590ce9cb0f

SHA1
94fc6271c88751233874a9f03e8d563fd7b7c9e6

SHA256
491493cb47f8ed8a7a9e44f93f9047ac64b7448232e85ffad5aca54bf391065c

SHA512
36fe3421bb854ee4ca6720f63accc61b79b6a0fa158b8624650f70f72e15bc18bc63b8cfbe88e970115d3161eb6b5c1b068629f6f8cff9656f73a7321df251a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4df43866ed044d51271430e45cc203b

SHA1
d28b9692158e2b666f161d14ad264a74fd3acf3a

SHA256
4e92cb3eda41d49bd6c395518ad3737d1fceb57a3458bc4046b8f977f2c04af1

SHA512
df37211cd13f7605f23626429d9d47689e0c11e24fb4feccea1132bc0088f292c9e2302c8c8ed9d5ca2500dface1d5fce341cd3e06df8b82245f3dcf56c85157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5b5a702d2eec8604f369e65e2f95b0c

SHA1
736e7c68d2e74c89214c593ba2f0baae5e52fbad

SHA256
5d53f1c0c536833657197d697f9cf59927452454303d239037a2969767b2db2d

SHA512
19b8882cdc5679c321063b1e5c3f3498833fe9bdcb6774211243d67b5b1f11b34b9ffb04e6f13b556d25963b7c79dfa978b0de417c8a0e00c87ac7297c3cc7f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b579832b44aeddd76d94ec0dc8ee398e

SHA1
9d5c50c764fa6b0a1e20ad1b1a99f72d7354fcd0

SHA256
d0830ecf674d69b8ad052dbaa592690b64d7cb18ae679a603f4f1de9bc988dbb

SHA512
3d316ba9ebce2a3e846b36164274cdcabacddde757a734f66466af564639c587e5a86e9349fdfd5984086acda8448325720e5dee653fd0a7285ecab5537ec762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09a44b08df56fa1b1751881213a0eb2c

SHA1
02a3ecddf4c4148c6d1b55f1d927aa8239069f84

SHA256
97e8309861f27b70704afe7929352839cd8afdea4a2a9ea1e895cd8ab6fa6d75

SHA512
a0d412298a7437a7e3470060cd834deb20708031cd389ec4b6e7a51a3f4bce2fb54932af1d154379620b99c116ea0a676cbd01e3dcb24e62ce82d23c8f2fdce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce5265a75eefc09b117dd0c894df82da

SHA1
855debf586e72f772f035d259521b93d02bae7d8

SHA256
aedef411065f2a1adbabd3cf80ef9618386d730356e1abc5ba6499ec95a9bfa7

SHA512
0fa38cbfe1cadf11b9fe9d356d5ca5f1547fb341466d67989ff090c0de416c15ca7974406fe51ad2f11b79835ac7b88eff7be727616e24894a9938a207692df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc42a9c569368d18f1a85b9ff6296ac9

SHA1
102bff6fe4f55e1f98ab1c705b666867095c7151

SHA256
5784ebcb9c038b1be5995aaced4b72aa52720db617554ec2378fd5a60d0976af

SHA512
ca8a69cd441ca9f2b8db1348e845d0b15929a7d628b6e963eb651f88d04ccac18530e6dcb57bdac9c70a04c94f4434f7734224fa2eb4a7e918426941c60393b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4cb41121deb71695588813e5590c4984

SHA1
1b063092e9c773257cf84d9f8abfae16faa4375a

SHA256
e7b7a428bdea60ef8bd5698d9e7309a8abf4e8d3dbbde26517fc484150c56cea

SHA512
5a32c5fde776f415df81ab365d5d76821f61b310db2493cb9bef39444631c1cb941aa0c5a866ac7bfc35f4e0b6d723dad7767395a189b53ec40fb90a55f33614

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe6a4acabb7cc76d0c02409211cbf8e0

SHA1
d4c8a21367158a73f90bfc0d9c62037dca97a24d

SHA256
b7fe42077921085c19d77f74f1138115fd9c9bc4355a115a8339df71b20fb87e

SHA512
d3f0e7b1f298afc2311c2265244690f36c32792106f78e412b9524cc38fb0493524bbba7a23a764a2b84a88387aa98f17c15e1af6d370ff73c192bd0c72b8530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b48a75c8ba169c5584cd918d0286a519

SHA1
a400712b19bab08c6f7c2eae4b272fb9ef3f6cb5

SHA256
fa5b3d9d4a2dfdd492dbee7c655eb16b977ba6963fb73d9608bf00865147ad50

SHA512
68ed8801e84f7e4e888c3a19ece6ef0d280b800a6033bac2553fd0162a97fb0e940f08b313b5c47f9f8f0177c673e7dd88df3888882a9fdad91de18e6897a069

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
404002dcfd0879721400758dc398c92f

SHA1
ad6b69c67846ce01ddc51805b63872f997dc160b

SHA256
7c564fd0b361f674dcf6b0159e4b93b4cbb510dc2d5aba265ed76bac3dec108c

SHA512
24a3ca5ca4b9c11c7373c781a3fd89ee288ac9daa9db6a4f7245afba2a4405e156c6dec7521669c58c243a4c2688aeda63921d2939118b072f447501abd92b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98092e9f8fcfd2162d4668707a05110c

SHA1
e20056b099f0c438b6d49f4fb2e47c0709a611bb

SHA256
f298bb64ce5517f1f115ad3da49350bbcd05321b9f1089ae8dd6ced384460143

SHA512
027e408ac9d7e00b2b26ed9f7cdf9cfc26194c6e398c10059a934c174515f450739fc1a8b34c0503b23a05791b1fa21ab1dc9423abc7529629c1cba6cb3c60d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a210d241f8a18aff41830722fdfd9fc

SHA1
29861f31ed0d4ba30c81aa1c96dab6dbc8fafa3f

SHA256
2e6c8b8f2986ecf0e6254db44e7ee6d789fc5d47fe88d666f09f5226fcf279f9

SHA512
9edad91a88018f17a40fe368d1e34899bc91baf33fdcf9841de56ca69d8406a26db53cade83a4fa9010451e134293aa4153901160baa5c940bb066ea7ff59721

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bd6d89d4ed7af759956da5ac59ac90e

SHA1
5877cce2bca367692799ddacf45fe69c5c056e7d

SHA256
5664f9b747cd478f8a455abe6d7ebd7caf2aca97394a8cbdf628816786472e66

SHA512
624be6aa6da1318b1a28c8d2591d34412169f4888f09ce5dd1316e94b0207b3cad1fbd55f4b3fed9fd082fb07af5f3f120514c922b80763ccedd126fdd1630fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1ace93ab0efa55fdbe29f531be02366

SHA1
0adae6ac47679f29315681d163478a05c09f3ae2

SHA256
01bb6e13480ffdedc169f40372a3f525e71c28f52c0a1252b4e3a1f288e280bd

SHA512
828cf3231b72a9cc7b6d41d12de1a73b23522476ff2bb14c0c02b120ba9735ccb2c071e8ad1464ec1bc54314fe1bcb09c0edf8ea16e471585d217ad3449162fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7f0114232d0ae0bda401925f61fe507

SHA1
a219ce5cddca0932eeb85dadbf0d4c63f4edbe28

SHA256
1da564f1cee63894e4091717ebbf843826bab6a6e588c4a99fd50d1cd98e0169

SHA512
a9578335bd5e0c5cffa9fea94e4860772d42836f2e0c687c2fb7742369d9944369e490f1aeaa99ae4d4144c2c7deb412c1f066c0a6cfbe8cc87284557c76301a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17c3a9da36974721b1b1b0f2c2cdc309

SHA1
dab028a0d4630388758e6f7c2d91c646a7456013

SHA256
c022c1280c4f3d8f5563674b63199937711d34378c75e9853a0dcf357cc0f186

SHA512
c1b2e8fb2fbc9699991e5e2946f0d072347e0cbefc1f45f1030a388daa6ea0563ca54a7812775572b3fd47e0faf4afa79cac18b0fc62b36d4013118c3588ce11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e1d23651446f0489918065d9c0c158e4

SHA1
e50db2c2a0953f9c182835443d87aef2a874f73d

SHA256
0951fc59e6cf466dbf93aaea53ceced05efea034e5a5737456bb2e645bdfde62

SHA512
cc7125e14081dafd5c2a679e9c042a1fafa1786064ef56c5514dcc9a14e79eeb875d036ee80973185d3b1d2905a89ffaa43d02c5ae57e92e61fa52240002daf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC75.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\setupact.log

Filesize
49KB

MD5
3996bed0060374d27b2807d79b8ce11d

SHA1
e05b54f9038cddf39990eff38ee1089c980a3685

SHA256
1b130a02d66ea419e7421a61906ed1ff4861f8996762928c79b1142b57ac2492

SHA512
515d03b2ddc63efe6e597c2522482f4c08d0de7add545468396689c5f941bd52582ed84fb8d3ac225c8158b5831e8a4ac4aeac46d0365ed1ed38d13519b324bd

Download Submit
memory/2188-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2188-124-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download