4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Size

137KB
MD5

fff2db4aae34f2cfeb265f2a15e2d70c
SHA1

938429020306c77d629ea9f8c19e515dff14aadc
SHA256

4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134
SHA512

808820695e0e504496d05ef75b0edfcfeb58b0f1d26cba4d095c43a8843699267513898bd9a1fa2dec622fdde487d84c0d2bd1a580375bb6b6be7f6876113d9e
SSDEEP

3072:IpWC4YgBPlGiyllvpWC4YgBPlGiyllBpWC4YgBPlGiyllp:2WC4YgB9GiypWC4YgB9GiyTWC4YgB9GN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cute.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 30 IoCs

pid	Process
4568	Tiwi.exe
2984	IExplorer.exe
4208	winlogon.exe
3676	imoet.exe
2976	cute.exe
3864	Tiwi.exe
4008	Tiwi.exe
1092	Tiwi.exe
4268	IExplorer.exe
936	IExplorer.exe
4864	IExplorer.exe
3768	winlogon.exe
408	winlogon.exe
3032	winlogon.exe
2416	imoet.exe
2488	imoet.exe
2724	imoet.exe
5104	cute.exe
3972	cute.exe
4244	cute.exe
3432	Tiwi.exe
3012	Tiwi.exe
2348	IExplorer.exe
656	IExplorer.exe
1644	winlogon.exe
736	winlogon.exe
3536	imoet.exe
2256	imoet.exe
4620	cute.exe
1208	cute.exe

Loads dropped DLL 5 IoCs

pid	Process
3864	Tiwi.exe
4008	Tiwi.exe
1092	Tiwi.exe
3432	Tiwi.exe
3012	Tiwi.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\imoet.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiwi = "C:\\Windows\\tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\cute.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	cute.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Tiwi.exe
File opened (read-only)	\??\M:	Tiwi.exe
File opened (read-only)	\??\Z:	Tiwi.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\T:	cute.exe
File opened (read-only)	\??\T:	imoet.exe
File opened (read-only)	\??\R:	cute.exe
File opened (read-only)	\??\X:	Tiwi.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\B:	winlogon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\H:	imoet.exe
File opened (read-only)	\??\N:	cute.exe
File opened (read-only)	\??\H:	Tiwi.exe
File opened (read-only)	\??\W:	Tiwi.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\X:	imoet.exe
File opened (read-only)	\??\G:	Tiwi.exe
File opened (read-only)	\??\J:	Tiwi.exe
File opened (read-only)	\??\J:	imoet.exe
File opened (read-only)	\??\N:	imoet.exe
File opened (read-only)	\??\V:	imoet.exe
File opened (read-only)	\??\G:	cute.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\O:	imoet.exe
File opened (read-only)	\??\W:	imoet.exe
File opened (read-only)	\??\P:	cute.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\L:	imoet.exe
File opened (read-only)	\??\B:	Tiwi.exe
File opened (read-only)	\??\N:	Tiwi.exe
File opened (read-only)	\??\Y:	Tiwi.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\E:	cute.exe
File opened (read-only)	\??\K:	cute.exe
File opened (read-only)	\??\E:	Tiwi.exe
File opened (read-only)	\??\K:	Tiwi.exe
File opened (read-only)	\??\S:	Tiwi.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\P:	imoet.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\G:	imoet.exe
File opened (read-only)	\??\K:	imoet.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\B:	imoet.exe
File opened (read-only)	\??\J:	cute.exe
File opened (read-only)	\??\W:	cute.exe
File opened (read-only)	\??\X:	cute.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\Q:	cute.exe
File opened (read-only)	\??\M:	imoet.exe
File opened (read-only)	\??\B:	cute.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Cemlekum"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Ketika sang Putri tertidur, kunyalakan lampion tuk menghangatkan sang putri, dan ku tunggu sang putri terbangun. Entah sampai kapan dia bisa melihat ketulusan hatiku....(kaya di fs nya siafa yach??) :P "	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	imoet.exe

Drops autorun.inf file 1 TTPs 12 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	Tiwi.exe
File created	C:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	winlogon.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	Tiwi.exe
File created	F:\autorun.inf	winlogon.exe
File opened for modification	F:\autorun.inf	winlogon.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	Tiwi.exe
File opened for modification	C:\autorun.inf	IExplorer.exe
File opened for modification	C:\autorun.inf	winlogon.exe
File created	F:\autorun.inf	Tiwi.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	imoet.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\tiwi.scr	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	cute.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	Tiwi.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Tiwi.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\tiwi.scr	imoet.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	imoet.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	cute.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	winlogon.exe
File opened for modification	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\tiwi.exe	cute.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File created	C:\Windows\tiwi.exe	Tiwi.exe
File opened for modification	C:\Windows\tiwi.exe	IExplorer.exe
File created	C:\Windows\tiwi.exe	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\tiwi.exe	imoet.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\tiwi.exe	Tiwi.exe
File created	C:\Windows\tiwi.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\tiwi.exe	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	cute.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	imoet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\tiwi.SCR"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Tiwi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s1159 = "Tiwi"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\s2359 = "Tiwi"	Tiwi.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	cute.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	imoet.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	cute.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Princess Tiwi is Here.."	Tiwi.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.google.com"	IExplorer.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	Tiwi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	imoet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.com"	cute.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	imoet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	imoet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	cute.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Tiwi.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4568	Tiwi.exe
3676	imoet.exe
4208	winlogon.exe
2984	IExplorer.exe
2976	cute.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
4568	Tiwi.exe
2984	IExplorer.exe
4208	winlogon.exe
3676	imoet.exe
2976	cute.exe
4008	Tiwi.exe
3864	Tiwi.exe
1092	Tiwi.exe
4268	IExplorer.exe
936	IExplorer.exe
4864	IExplorer.exe
3768	winlogon.exe
408	winlogon.exe
3032	winlogon.exe
2416	imoet.exe
2488	imoet.exe
2724	imoet.exe
5104	cute.exe
4244	cute.exe
3972	cute.exe
3432	Tiwi.exe
3012	Tiwi.exe
2348	IExplorer.exe
656	IExplorer.exe
1644	winlogon.exe
736	winlogon.exe
2256	imoet.exe
3536	imoet.exe
4620	cute.exe
1208	cute.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4568	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	87
PID 3128 wrote to memory of 4568	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	87
PID 3128 wrote to memory of 4568	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	87
PID 3128 wrote to memory of 2984	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	88
PID 3128 wrote to memory of 2984	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	88
PID 3128 wrote to memory of 2984	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	88
PID 3128 wrote to memory of 4208	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	89
PID 3128 wrote to memory of 4208	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	89
PID 3128 wrote to memory of 4208	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	89
PID 3128 wrote to memory of 3676	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	90
PID 3128 wrote to memory of 3676	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	90
PID 3128 wrote to memory of 3676	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	90
PID 3128 wrote to memory of 2976	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	91
PID 3128 wrote to memory of 2976	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	91
PID 3128 wrote to memory of 2976	3128	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe	91
PID 4568 wrote to memory of 3864	4568	Tiwi.exe	95
PID 4568 wrote to memory of 3864	4568	Tiwi.exe	95
PID 4568 wrote to memory of 3864	4568	Tiwi.exe	95
PID 2984 wrote to memory of 4008	2984	IExplorer.exe	96
PID 2984 wrote to memory of 4008	2984	IExplorer.exe	96
PID 2984 wrote to memory of 4008	2984	IExplorer.exe	96
PID 4208 wrote to memory of 1092	4208	winlogon.exe	97
PID 4208 wrote to memory of 1092	4208	winlogon.exe	97
PID 4208 wrote to memory of 1092	4208	winlogon.exe	97
PID 2984 wrote to memory of 4268	2984	IExplorer.exe	98
PID 2984 wrote to memory of 4268	2984	IExplorer.exe	98
PID 2984 wrote to memory of 4268	2984	IExplorer.exe	98
PID 4568 wrote to memory of 936	4568	Tiwi.exe	99
PID 4568 wrote to memory of 936	4568	Tiwi.exe	99
PID 4568 wrote to memory of 936	4568	Tiwi.exe	99
PID 4208 wrote to memory of 4864	4208	winlogon.exe	100
PID 4208 wrote to memory of 4864	4208	winlogon.exe	100
PID 4208 wrote to memory of 4864	4208	winlogon.exe	100
PID 4568 wrote to memory of 3768	4568	Tiwi.exe	101
PID 4568 wrote to memory of 3768	4568	Tiwi.exe	101
PID 4568 wrote to memory of 3768	4568	Tiwi.exe	101
PID 2984 wrote to memory of 408	2984	IExplorer.exe	102
PID 2984 wrote to memory of 408	2984	IExplorer.exe	102
PID 2984 wrote to memory of 408	2984	IExplorer.exe	102
PID 4208 wrote to memory of 3032	4208	winlogon.exe	103
PID 4208 wrote to memory of 3032	4208	winlogon.exe	103
PID 4208 wrote to memory of 3032	4208	winlogon.exe	103
PID 4568 wrote to memory of 2416	4568	Tiwi.exe	104
PID 4568 wrote to memory of 2416	4568	Tiwi.exe	104
PID 4568 wrote to memory of 2416	4568	Tiwi.exe	104
PID 2984 wrote to memory of 2488	2984	IExplorer.exe	105
PID 2984 wrote to memory of 2488	2984	IExplorer.exe	105
PID 2984 wrote to memory of 2488	2984	IExplorer.exe	105
PID 4208 wrote to memory of 2724	4208	winlogon.exe	106
PID 4208 wrote to memory of 2724	4208	winlogon.exe	106
PID 4208 wrote to memory of 2724	4208	winlogon.exe	106
PID 4568 wrote to memory of 5104	4568	Tiwi.exe	107
PID 4568 wrote to memory of 5104	4568	Tiwi.exe	107
PID 4568 wrote to memory of 5104	4568	Tiwi.exe	107
PID 2984 wrote to memory of 3972	2984	IExplorer.exe	108
PID 2984 wrote to memory of 3972	2984	IExplorer.exe	108
PID 2984 wrote to memory of 3972	2984	IExplorer.exe	108
PID 4208 wrote to memory of 4244	4208	winlogon.exe	109
PID 4208 wrote to memory of 4244	4208	winlogon.exe	109
PID 4208 wrote to memory of 4244	4208	winlogon.exe	109
PID 3676 wrote to memory of 3432	3676	imoet.exe	110
PID 3676 wrote to memory of 3432	3676	imoet.exe	110
PID 3676 wrote to memory of 3432	3676	imoet.exe	110
PID 2976 wrote to memory of 3012	2976	cute.exe	111

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cute.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	cute.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	imoet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Tiwi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Tiwi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fff2db4aae34f2cfeb265f2a15e2d70c_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3128
- C:\Windows\Tiwi.exe
  C:\Windows\Tiwi.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4568
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3864
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:936
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3768
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5104
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2984
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4008
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4268
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4208
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1092
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4864
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4244
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3676
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3432
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2256
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4620
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2976
- - C:\Windows\Tiwi.exe
    C:\Windows\Tiwi.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3012
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:656
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\imoet.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3536
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\cute.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\cute.exe

Filesize
137KB

MD5
b4f518fa8afd74b5f69001939ec6d3f0

SHA1
72516ded9f34ad48629bc2957ebd70847f2083b6

SHA256
5f5bffb650e1a56a111328898556a726ec6e2a38e8390bccad3135eefe80ec18

SHA512
804d76ff7aa13f14d3164bfbe8b12c835e77454128e2dd4ef6e46834eb5b8553a573d3acbdc75b9daaefa7f1b9c8b1404e9852ba9bc68fa8fbbb1c0ab63e081c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\imoet.exe

Filesize
137KB

MD5
60059f84502973eecfb0865d47eb6651

SHA1
6d1592aec846512c9bd044dbd5b858fd1e3368bc

SHA256
1fe431dd8bd96eb512a42204c9ba2c6752cf1bbe4a96fac64cf1a5667fd6d097

SHA512
81d2503d2152d5de13056158dc5ca680512b4d52b94b2c974665affff5a8894e59e097eda0618e32e61648426b3f339e44e2cc319f363a1fda791b2a58193bf5

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
45KB

MD5
f4992c2298493b86ab78e0c95ebc3ef2

SHA1
8bce988f5f6392089222fd31e2c24891c7c62d72

SHA256
f6fa53165413c7e9a24030443171423410f3cae5bcccc60e7644e2871775907e

SHA512
72b56263c5ca5930fb16a2927d59dcbcef8fe319fd63664bd90688014c0b1e222520b3ae491ccfb48eda541a98f39eac750b8a254880a58bd7d040bd51bf4e0c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
137KB

MD5
67ea8b3e96bd670b95b245fdbd9d2ad9

SHA1
f4f14afea4bb01a323881ab80110a87dd39d39eb

SHA256
35c24a899bf3f19715af6b0a27a92964a7dcc7264b78a6547ef437b6a1d8e760

SHA512
f678cbe890bb1454d7b2effa2aaa47e5f10941fbd7403a0e06f5afe069fde43e44c75e44cf6056502de070dbbea91c17c75a6e8dcb88ffee019d9b5f2b62dbcf

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
43eb653660b91c6d53fe2309206bffc7

SHA1
2aa9127971061d283eb70b9a77590bde603bdfe8

SHA256
74fc7ab64ac1a5a8f4b0e38c9d9f20376841bdde9fd0edcc933fe3cc8860186a

SHA512
9ed70942392ae34dc7e0f625351a1b3d110f90fd7dd5d8075db5fe30c89914afa5eab72a0f5120ce4544a2efe8a856ef32670521334bd643a40a4f81afb7037d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

Filesize
45KB

MD5
67a1c185096e2e75de253982d7530a80

SHA1
55ac5c8ac761333dfccfa389c5a5155171c0fb00

SHA256
f743bd50b9d09d0cc6e75c0ce19426b40bb98d0475c70d1a7f8ed73ebae54130

SHA512
8156b4ec3485dfe753b8e4b74923f0aac6796d98684531da0e9b58e6542db0054bd943e4d8fc27438c1a9a84f91db601d31de839881df52bf01a2a7cb29b589b

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
137KB

MD5
e8104e7f36862b30aeccf1129fa720f5

SHA1
7a00d44be91585ec65773bc4f23bfec7c112650b

SHA256
12bb1d142531f4a6cdd5a813f26e34afc47d29838ed8a8461eb26605a458de0b

SHA512
d70ac12dc119d8ce1812180517d89b496ba9dbd47dc8b356afd69a5358087bacf75555af5099819d1409cb5e2f0610b855e0dc8f41f83dfb94e882c72fbfe61a

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
137KB

MD5
d152cb6afe9bde0a72bf133e61a0c723

SHA1
e4c502a8549f6ab19de3e036f4339fe3ae4f84aa

SHA256
8f99ab4b437525f18003748de317e5ff5a77658bb3538f3e38c33dc7acb087e0

SHA512
d1b8f82551444fa4a3d46b4a7213d1383f1f236326c0ebeeda4e628f90602a6c2213e92640f8b606cc4346e7d712268fd3600d4314690bf8610984e43ae3ffc0

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
137KB

MD5
ae5891df7aeba5b1bcc65c3b4541353a

SHA1
729cbeffde8e400b20a8a1a371914fdcb5af34c8

SHA256
f35b88232136f2b3b85962c6b0bd2422e12c3fd6874e065c121fa189e97d0349

SHA512
d12ff09323e11ca2b249b2b4c1086170f97fa9bfcebedbf77d8665fa2ad7d02489a8d8661ac8f38922171693b2ece7caaab99ad620f7568ec345cd0ea108b92b

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
137KB

MD5
8388edd90c7aedfd2f9168b4607c6066

SHA1
853ba24c53893396ab419b51b205b68dcc70ca69

SHA256
b87d7429a6dcddb39928b01ce2157c6981e5d2f0e1cdd65c7a5420add21445db

SHA512
e11a997b734004660d039acd44c6171a363735bae13836d2a6c753632996b41a101633e0f71b073336b6b3d11dea6db553568ea1d090d55b38260de5a4f2e567

Download Submit
C:\Windows\SysWOW64\tiwi.scr

Filesize
137KB

MD5
b92ed640fa26b1a1dce5ccf299387ece

SHA1
611e186171d3b137bf7b0fd5f258d78391a55d7f

SHA256
76ffab32b5175244feacd815da434e17f753e06f32b8594e9ec4500feb996ef6

SHA512
6e992dfe41fe5080e2dcd3455fb93d214442b50eb167314bf44b804cf1f7a258fc48e72d4c9e7fe1d2226170f704ad1ddecbe227c49f8b6ba60940de95bee3cb

Download Submit
C:\Windows\tiwi.exe

Filesize
137KB

MD5
3929eb86722656f5da6c7b98ebd04cec

SHA1
ed197de49f8f38a477c6f26fb172c465828b66fb

SHA256
909008af09c43a5d2e1966cb0278730d03e9842896172a40f1799374392cbb48

SHA512
5cc6f6076ae1a4a9f0f9078497c7ba130354e6f0eb2fca81f318a414be0e35fa67497728706263a52a354f325b9d585f696cabdebbf74555e29534e18e7e7144

Download Submit
C:\present.txt

Filesize
729B

MD5
8e3c734e8dd87d639fb51500d42694b5

SHA1
f76371d31eed9663e9a4fd7cb95f54dcfc51f87f

SHA256
574a3a546332854d82e4f5b54cc5e8731fe9828e14e89a728be7e53ed21f6bad

SHA512
06ef1ddd1dd2b30d7db261e9ac78601111eeb1315d2c46f42ec71d14611376a951af3e9c6178bb7235f0d61c022d4715aeb528f775a3cf7da249ab0b2e706853

Download Submit
C:\tiwi.exe

Filesize
137KB

MD5
cbb58a7eb9909cd8e8e62f937d8d0511

SHA1
23cc4c353c218ba1b4082261a75bc9a958d0c978

SHA256
131b7edd89c3067c279195614bcdc2cabd6e10ac35cdbacae765e6163baad3b5

SHA512
eea2094908adb0524e7e5d9005796a63cdeb174ab4017fde86e172aef5c6e1b38bc3b3157886b5545cc0c1d6b36dffdd0de406228a80aaff7afb36bca0be29f4

Download Submit
C:\tiwi.exe

Filesize
137KB

MD5
fff2db4aae34f2cfeb265f2a15e2d70c

SHA1
938429020306c77d629ea9f8c19e515dff14aadc

SHA256
4146b2baa1dd63c84e878e9d86f99eb4c6aa5804b62943659068e46087291134

SHA512
808820695e0e504496d05ef75b0edfcfeb58b0f1d26cba4d095c43a8843699267513898bd9a1fa2dec622fdde487d84c0d2bd1a580375bb6b6be7f6876113d9e

Download Submit
F:\autorun.inf

Filesize
39B

MD5
415c421ba7ae46e77bdee3a681ecc156

SHA1
b0db5782b7688716d6fc83f7e650ffe1143201b7

SHA256
e6e9c5ea41aaf8b2145701f94289458ef5c8467f8c8a2954caddf8513adcf26e

SHA512
dbafe82d3fe0f9cda3fa9131271636381e548da5cc58cd01dd68d50e3795ff9d857143f30db9cd2a0530c06ce1adef4de9a61289e0014843ac7fefcbd31a8f62

Download Submit
memory/408-266-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/408-275-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/656-374-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/736-378-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/736-381-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/936-254-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1092-219-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1092-252-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1208-395-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-382-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1644-375-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2256-383-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2256-388-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2348-373-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2416-286-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-297-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2488-283-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2724-299-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-122-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-298-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2976-400-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2984-270-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2984-397-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2984-102-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3012-368-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-276-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3032-273-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3128-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3128-125-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3432-367-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3536-389-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3676-116-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3676-399-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3676-282-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3768-268-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3768-265-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3864-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3864-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3972-320-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4008-234-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4008-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4208-274-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4208-398-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4208-110-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4244-319-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4268-255-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4268-233-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4568-261-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4568-396-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4568-96-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4620-394-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4864-262-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-296-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/5104-303-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download