4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Size

137KB
MD5

fff2db4aae34f2cfeb265f2a15e2d70c
SHA1

938429020306c77d629ea9f8c19e515dff14aadc
SHA256

4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134
SHA512

808820695e0e504496d05ef75b0edfcfeb58b0f1d26cba4d095c43a8843699267513898bd9a1fa2dec622fdde487d84c0d2bd1a580375bb6b6be7f6876113d9e
SSDEEP

3072:IpWC4YgBPlGiyllvpWC4YgBPlGiyllBpWC4YgBPlGiyllp:2WC4YgB9GiypWC4YgB9GiyTWC4YgB9GN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 30 IoCs

pid	Process
2512	Tiwi.exe
2948	IExplorer.exe
2804	winlogon.exe
2936	imoet.exe
1920	cute.exe
2332	Tiwi.exe
1876	IExplorer.exe
308	Tiwi.exe
636	winlogon.exe
2412	imoet.exe
1380	Tiwi.exe
1828	IExplorer.exe
1404	Tiwi.exe
1736	IExplorer.exe
2968	cute.exe
1720	Tiwi.exe
2008	winlogon.exe
2012	winlogon.exe
2620	IExplorer.exe
2632	IExplorer.exe
2856	imoet.exe
2580	imoet.exe
2724	cute.exe
2704	winlogon.exe
2816	winlogon.exe
2700	imoet.exe
2668	cute.exe
2712	cute.exe
1884	imoet.exe
2828	cute.exe

Loads dropped DLL 45 IoCs

pid	Process
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2512	Tiwi.exe
2512	Tiwi.exe
2512	Tiwi.exe
2512	Tiwi.exe
2512	Tiwi.exe
2512	Tiwi.exe
2948	IExplorer.exe
2948	IExplorer.exe
2804	winlogon.exe
2804	winlogon.exe
2512	Tiwi.exe
2512	Tiwi.exe
2948	IExplorer.exe
2948	IExplorer.exe
2804	winlogon.exe
1920	cute.exe
1920	cute.exe
2936	imoet.exe
2936	imoet.exe
2804	winlogon.exe
2804	winlogon.exe
2948	IExplorer.exe
2948	IExplorer.exe
2936	imoet.exe
2936	imoet.exe
2948	IExplorer.exe
2948	IExplorer.exe
1920	cute.exe
1920	cute.exe
1920	cute.exe
1920	cute.exe
1920	cute.exe
2804	winlogon.exe
2804	winlogon.exe
2936	imoet.exe
2936	imoet.exe
2936	imoet.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\Y:	cute.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\O:	Tiwi.exe
File opened (read-only)	\??\H:	cute.exe
File opened (read-only)	\??\S:	winlogon.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\S:	imoet.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\O:	cute.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\V:	Tiwi.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\R:	imoet.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\S:	cute.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\R:	Tiwi.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\I:	imoet.exe
File opened (read-only)	\??\I:	Tiwi.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\U:	cute.exe
File opened (read-only)	\??\E:	imoet.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\Y:	imoet.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\Z:	cute.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\O:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	Tiwi.exe
File opened for modification	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File created	C:\Windows\SysWOW64\shell.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tiwi.scr	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File created	C:\Windows\tiwi.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2512	Tiwi.exe
2936	imoet.exe
2804	winlogon.exe
2948	IExplorer.exe
1920	cute.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
2512	Tiwi.exe
2948	IExplorer.exe
2804	winlogon.exe
2936	imoet.exe
1920	cute.exe
2332	Tiwi.exe
1876	IExplorer.exe
636	winlogon.exe
308	Tiwi.exe
1380	Tiwi.exe
2412	imoet.exe
1828	IExplorer.exe
1736	IExplorer.exe
1404	Tiwi.exe
2968	cute.exe
1720	Tiwi.exe
2008	winlogon.exe
2012	winlogon.exe
2620	IExplorer.exe
2632	IExplorer.exe
2580	imoet.exe
2724	cute.exe
2816	winlogon.exe
2700	imoet.exe
2668	cute.exe
2712	cute.exe
1884	imoet.exe
2828	cute.exe
2856	imoet.exe
2704	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2512	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2512	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2512	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2512	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	28
PID 2844 wrote to memory of 2948	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	29
PID 2844 wrote to memory of 2948	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	29
PID 2844 wrote to memory of 2948	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	29
PID 2844 wrote to memory of 2948	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	29
PID 2844 wrote to memory of 2804	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2804	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2804	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2804	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2936	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2936	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2936	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2936	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	31
PID 2844 wrote to memory of 1920	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1920	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1920	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	32
PID 2844 wrote to memory of 1920	2844	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	32
PID 2512 wrote to memory of 2332	2512	Tiwi.exe	33
PID 2512 wrote to memory of 2332	2512	Tiwi.exe	33
PID 2512 wrote to memory of 2332	2512	Tiwi.exe	33
PID 2512 wrote to memory of 2332	2512	Tiwi.exe	33
PID 2512 wrote to memory of 1876	2512	Tiwi.exe	34
PID 2512 wrote to memory of 1876	2512	Tiwi.exe	34
PID 2512 wrote to memory of 1876	2512	Tiwi.exe	34
PID 2512 wrote to memory of 1876	2512	Tiwi.exe	34
PID 2948 wrote to memory of 308	2948	IExplorer.exe	35
PID 2948 wrote to memory of 308	2948	IExplorer.exe	35
PID 2948 wrote to memory of 308	2948	IExplorer.exe	35
PID 2948 wrote to memory of 308	2948	IExplorer.exe	35
PID 2512 wrote to memory of 636	2512	Tiwi.exe	36
PID 2512 wrote to memory of 636	2512	Tiwi.exe	36
PID 2512 wrote to memory of 636	2512	Tiwi.exe	36
PID 2512 wrote to memory of 636	2512	Tiwi.exe	36
PID 2512 wrote to memory of 2412	2512	Tiwi.exe	37
PID 2512 wrote to memory of 2412	2512	Tiwi.exe	37
PID 2512 wrote to memory of 2412	2512	Tiwi.exe	37
PID 2512 wrote to memory of 2412	2512	Tiwi.exe	37
PID 2804 wrote to memory of 1380	2804	winlogon.exe	38
PID 2804 wrote to memory of 1380	2804	winlogon.exe	38
PID 2804 wrote to memory of 1380	2804	winlogon.exe	38
PID 2804 wrote to memory of 1380	2804	winlogon.exe	38
PID 2948 wrote to memory of 1828	2948	IExplorer.exe	39
PID 2948 wrote to memory of 1828	2948	IExplorer.exe	39
PID 2948 wrote to memory of 1828	2948	IExplorer.exe	39
PID 2948 wrote to memory of 1828	2948	IExplorer.exe	39
PID 1920 wrote to memory of 1404	1920	cute.exe	40
PID 1920 wrote to memory of 1404	1920	cute.exe	40
PID 1920 wrote to memory of 1404	1920	cute.exe	40
PID 1920 wrote to memory of 1404	1920	cute.exe	40
PID 2804 wrote to memory of 1736	2804	winlogon.exe	41
PID 2804 wrote to memory of 1736	2804	winlogon.exe	41
PID 2804 wrote to memory of 1736	2804	winlogon.exe	41
PID 2804 wrote to memory of 1736	2804	winlogon.exe	41
PID 2512 wrote to memory of 2968	2512	Tiwi.exe	42
PID 2512 wrote to memory of 2968	2512	Tiwi.exe	42
PID 2512 wrote to memory of 2968	2512	Tiwi.exe	42
PID 2512 wrote to memory of 2968	2512	Tiwi.exe	42
PID 2936 wrote to memory of 1720	2936	imoet.exe	43
PID 2936 wrote to memory of 1720	2936	imoet.exe	43
PID 2936 wrote to memory of 1720	2936	imoet.exe	43
PID 2936 wrote to memory of 1720	2936	imoet.exe	43

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

C:\Users\Admin\AppData\Local\Temp\fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2512
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2332
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2968
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2948
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:308
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2008
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2724
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2804
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1380
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2936
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1884
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2828
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1920
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1404
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
137KB

MD5
3ee7dd21057add6f9bdf45678f1cb7f8

SHA1
e4a3a18c109776bfb0530b07c9daa7b369446c38

SHA256
0ff6f46fb2a1bf5832b7ea34277e897785f52607415dc5acccd257e2469c11e5

SHA512
f64e0da5b3d1ec38be73877744d1b476a4c3956dd6dadb678c8d149f1377c04340c3f7913bd53f24c0063e3ca197d0b9bcd2e6a65bf5420cc4229d26eb156e74

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
1b1c817ed2abd2a09d653a9790881719

SHA1
d7955d06c67fc8056cc80453623529b727941430

SHA256
a741d8a2a062e3a87eaf896e65328e3a5d9545a57c4e078ec02a9790e057a833

SHA512
61b745368d19939c8123ea32c46f7d26960fc617831d2173e09e11d43c6cc2930adfe8fca38646b24bee660dc2fa0d4066b759e603f0d299ded933fc1c22a65b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
9e36e3bfda91ca1b72f67fa3b8cf3da4

SHA1
624612e3ef9a240f92e6d09ad9c26782e206c31c

SHA256
749b8428d3ab3d7a21d1d9b0f3817cc2631cc898a64e348465f48751b3ae501c

SHA512
e7c9f61b4a2c1fb532af2c2b24e1715e835c2a3fbec8b4b43c0646f7f87d7b6c9b9bfc8ff8ba2aa5112ddd0f14a63c2694fb0c82e7454bf8b246915af5777a62

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
4db82790872d197be2a47f63e677f8c6

SHA1
a582c5c647296df5a1fd098664cc2f3cf77972b8

SHA256
68444d63f013d9ac18b53b5f21d09d16fc13b2b616132919bfd56833ec05ec31

SHA512
2bd97d2d5066bdef4a555090a12411faac9d4deeba6001b5bf8cc813189cb50e9c341073fe21536296f96ad3a93d28740dd6bb199d3018733d98069a4bd1c456

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
b09c6e8a1a91472f4bf021c1eef9e779

SHA1
0b553efaff9817621c3e289d4aa3df13e9f9c8ae

SHA256
c161379af4988127c4af30a76b41d5d6a9f528477bf10118fff7d1c89217ebf3

SHA512
c7ca2fe0f5bb9cd4d7c663c43287b453dd222427fb0ba529a7287015aa439ddaacd00efdd7cfe61f191478d4352e522af42f8d3d7c5b135fb51b472a5db9570c

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
bc05aa27036f7b19a1dfd869831ce96b

SHA1
0c03495b0196fa5c65dde2389ed18c9cf21bf710

SHA256
99b3d75250a01e7c502f650ae1d41ce87f33f4a158c0c4407263e3eebb53f59a

SHA512
7008471f11abd8dad9f6bf88471456e209786fb840da89955bbc18cee1b4b33bb160bb0130aabd0abfd9576053ea2ba349925e7450b71ea6e25685d8251de300

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
fff2db4aae34f2cfeb265f2a15e2d70c

SHA1
938429020306c77d629ea9f8c19e515dff14aadc

SHA256
4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134

SHA512
808820695e0e504496d05ef75b0edfcfeb58b0f1d26cba4d095c43a8843699267513898bd9a1fa2dec622fdde487d84c0d2bd1a580375bb6b6be7f6876113d9e

Download Submit
C:\Windows\tiwi.exe

Filesize
137KB

MD5
33a8927490d61d7253439057bc3a86f3

SHA1
3b66d679c68288602ec62455cea0fd80c62a6519

SHA256
4d0048ced0436b1fa4dbc1092bbc6dbe2be93f4d979c2a81f39aef1cec225ad2

SHA512
23b770062ef55fc0056d1887a6575b7faabfd396a4a6780b3bb21dda010b07143fe3744630f6cdd59ea2f97f460bfa5dad52bb9fe2217ffbc46b9d264fae4c4c

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
137KB

MD5
c84ebb4a60309fd373dbd8123070f5bf

SHA1
9d5ab9d151d1d4660c1c90423eba5520354eddc5

SHA256
ba6dca24f0ae48107b12c3584d603ecb4f7fd7e4a856fb7ecbf5ba568d72af49

SHA512
eed9a83f4fd4e373456f386b9cf6d6e1fb619b3e9538898750e5ea5092946fea53b9428f5cec8f891b8a18026e79738594a00c9dc6ff7252cfc506528ee80510

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
137KB

MD5
a6b2632f9d779e4464ae44440b373c76

SHA1
c4cf18302292e1174d627e9ecd46a6419d60c00b

SHA256
688720997fb29bdaa516533d8807cd5d440de6c6db9b63dd1951c8bf13030ceb

SHA512
c246135a321682b7f6215049a696e9c76e22f636b6e2967ddfe63c9dcc0b36dfc70983c2ec7df72038a30bb8b259b5f04284b88faa364d2e4c06b2afe6121ac4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
137KB

MD5
ab14b7f1cd12a2d14fa7227d7d078f21

SHA1
1129f0c5954968336b39c153ed6f83218ca1a4eb

SHA256
65effde15c22f10bcdb3bd766e3aa5ec3fc3f645e826d0ddd4cab5329c4efa36

SHA512
f55fc861a889d4934dc4aaf25522b213c24d708fe100e763f45b4965ad88f33770ad8212200202f38c25b98325a49c1ed56b18264bf923b1d6c10feb793796dd

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
137KB

MD5
ad8a681ccbe4e0119e1839f48082a7cf

SHA1
ca32ef8cccc16b9fd4576edda7ad66a282dbaae2

SHA256
236f0c903771191bc3b47516fab3d84de68ac4396014dd9496eba4f5f192d89d

SHA512
b538d3e53f522aaa17c93ab27a1aa1eda8b6213e65c510f1a08073e9a217ce3e17e21fbbfef487a15b841d4e75c1b92e550a72922678fbd1e9554bbc5d2580f2

Download Submit
memory/308-280-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/636-249-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1380-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1380-284-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1404-370-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1720-377-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1736-304-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1736-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1828-353-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1876-229-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1876-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1884-420-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-410-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-398-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-409-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-431-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-426-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-430-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-308-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1920-401-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/1920-355-0x0000000002900000-0x000000000292B000-memory.dmp

Filesize
172KB

Download
memory/2008-336-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2008-376-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2012-381-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2332-201-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2332-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2412-312-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2412-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-332-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-279-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-101-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-405-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-334-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-273-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-182-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2512-338-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-337-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-198-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2512-200-0x0000000002470000-0x000000000249B000-memory.dmp

Filesize
172KB

Download
memory/2580-385-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2620-378-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2632-380-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2668-404-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2700-400-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2712-418-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-391-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-392-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-434-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-415-0x0000000001D60000-0x0000000001D8B000-memory.dmp

Filesize
172KB

Download
memory/2804-416-0x0000000001D60000-0x0000000001D8B000-memory.dmp

Filesize
172KB

Download
memory/2804-354-0x0000000001D60000-0x0000000001D8B000-memory.dmp

Filesize
172KB

Download
memory/2804-272-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2804-123-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2828-425-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2828-427-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-104-0x0000000000820000-0x000000000084B000-memory.dmp

Filesize
172KB

Download
memory/2844-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-99-0x0000000000820000-0x000000000084B000-memory.dmp

Filesize
172KB

Download
memory/2844-141-0x0000000000820000-0x000000000084B000-memory.dmp

Filesize
172KB

Download
memory/2844-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2844-98-0x0000000000820000-0x000000000084B000-memory.dmp

Filesize
172KB

Download
memory/2856-382-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2856-429-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2936-423-0x00000000031C0000-0x00000000031EB000-memory.dmp

Filesize
172KB

Download
memory/2936-331-0x00000000031C0000-0x00000000031EB000-memory.dmp

Filesize
172KB

Download
memory/2936-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2936-435-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2936-372-0x00000000031C0000-0x00000000031EB000-memory.dmp

Filesize
172KB

Download
memory/2936-408-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2936-388-0x00000000031C0000-0x00000000031EB000-memory.dmp

Filesize
172KB

Download
memory/2936-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2948-238-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2948-421-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-396-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-230-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-389-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-335-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-340-0x00000000023C0000-0x00000000023EB000-memory.dmp

Filesize
172KB

Download
memory/2948-406-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-310-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2968-352-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download