Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
087ad2e6ca33b8c587dbc2884a034c6e
-
SHA1
a88f9e9dda17945f45b12b507f8db71c1dd26b50
-
SHA256
203fe7d0d3e6b6c4d986da6a02e55a9f8cb6f874d47008edc8fa187b23545c66
-
SHA512
d5507e37cd97bf69550d804373358346f139b603c0165fccd1dc94b8b3d91167594a33a961972917a85b6a9a0928b21ed8929c8b919bb042adc40a90e3a4ab34
-
SSDEEP
49152:/jZkjil1jW62ZGAIimn8ul4ry7SpKeQzUWwkTdmGk:hjWFQrquJSpPQ4kq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4704 ATDuUO.exe -
Loads dropped DLL 3 IoCs
pid Process 4704 ATDuUO.exe 3784 regsvr32.exe 2704 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 5 IoCs
description ioc Process File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json ATDuUO.exe File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json ATDuUO.exe File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json ATDuUO.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json ATDuUO.exe File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json ATDuUO.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" ATDuUO.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" regsvr32.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll ATDuUO.exe File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll ATDuUO.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll ATDuUO.exe File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb ATDuUO.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb ATDuUO.exe File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat ATDuUO.exe File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat ATDuUO.exe File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll ATDuUO.exe -
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{FF8E81E4-1D22-42E2-0976-743412A75EFF} ATDuUO.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration ATDuUO.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration ATDuUO.exe Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} ATDuUO.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID\ = "YoutubeAdblocker.1.0" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.tlb" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.dll" ATDuUO.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" ATDuUO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ATDuUO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID ATDuUO.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4200 wrote to memory of 4704 4200 087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe 93 PID 4200 wrote to memory of 4704 4200 087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe 93 PID 4200 wrote to memory of 4704 4200 087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe 93 PID 4704 wrote to memory of 3784 4704 ATDuUO.exe 94 PID 4704 wrote to memory of 3784 4704 ATDuUO.exe 94 PID 4704 wrote to memory of 3784 4704 ATDuUO.exe 94 PID 3784 wrote to memory of 2704 3784 regsvr32.exe 96 PID 3784 wrote to memory of 2704 3784 regsvr32.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} = "1" ATDuUO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe"C:\Users\Admin\AppData\Local\Temp/00294823/ATDuUO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4704 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2704
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD532853cf2595f2504042f1473853b4b89
SHA1174580acda0c9b20791ca8be29f132f976dd52df
SHA2565300ca9a380237b9b07da25510a48633043ede0e0caf98aee30a3b4f3b565ebb
SHA512714e0e3f22d54b1f7083ca9bd4d91a00589f7ddfa7957c2c383652b8ec440c90bcb9b68a29967fee0f7a3b850d2faa244a7d829829e0cfb1b64709280ac8743f
-
Filesize
526KB
MD5926838555c7e13f295fda017b3fa3ea9
SHA1f8947d5c9be8b66e0aa99696bfcee097f1a55403
SHA25667b6ba841d56bef371d7e8c7382df39d2c76f828d6ea7669a6b1099835aaa08d
SHA512409e818552f78ca17720bef89d20c50a402bcedaf8084a8a10c6fb8933a07b7c25acdb21e0b22bb544c9287eb792de1fdbd3ad38e3e29a303049bb472b224be7
-
Filesize
438KB
MD534bc1e9d673cfdf64391674c763cdd77
SHA177e23698847852036381b4e638b5030f6ed6dfea
SHA256349518efa626aa4094c0f00cd06fdd4ca7ce4a4c1e098a9543dd6dd6dfcbefb7
SHA512bd1f39dfd305118ca111e75c9315e1565273ec201ebe8483e3e041a0d614cc223e7fbeae036275559170850f7a3b2bbf5c9c3feb327472f21ad31ae8bd24e737
-
Filesize
3KB
MD50467b2a94e53b5faedf0848d0c2f5d26
SHA16cf5b04d6bf174f6dc8c370e4daad1bc2a477d81
SHA2566df3477717486828c6bc5928d65be112e55d3259a76a9b2e6302e61e771b1d94
SHA5122ab17e6066f8f942f1329ff8fa3945d423a70d83495ed85a447586f18f96a0ee3cf927c51d937221ac28dc82e1005d128588b227d0dbfe9b0c60e967f97ef687
-
Filesize
493KB
MD586caa44adb45c7bb76f01b62d76fed67
SHA1382d2f766a932c0a19b18d305f336f670530d167
SHA256710648d005d01670952b1fabcc9ded81f2bf1d8cd828ad67e6658ab9ab5beb05
SHA5129b305f023d7d7d82758593581d141abe3040b5d3464e40dd5ff2984cb845c973b61d99aae24279c2cac9256d624204e7a5c174932df3946903d712f0176a1497
-
Filesize
6KB
MD59bc8559daa104a1ab99f635c8dee4e68
SHA182cc485a6bc8d67de1706e7c7b22e214d23d9564
SHA25644a39ea63e06b290eac47b86c8de8c402dff5ad2a06bb013e44f1344e4356b8b
SHA5126b6ad295e8ebe3a6635bff4bc243d04ec18232dc7ee8083bdf96dcc92c02403f7e0230815c19c5209010ef9d6d2f3bab9828d91cc93aed39e942b0c09dfba062
-
Filesize
144B
MD5ce3522e275541cf294e32b91b24c1c77
SHA17bc9b2a0bace141154fc02d2a6b7ae1ad7bdddee
SHA2567794dd05153e8b081a2bf6b61e9a37549270feb93f1a630640f665a7c9f8d8d7
SHA5124764defc4597ab05c76de4ecd323d6dc6a1739767f4ba7d1c68bd12db67f07387cd5f52052b61ed14f039cda4c7ee6a32a3bb76b2ae2b278e2b7d40e79af7ef3
-
Filesize
144B
MD50654917402505bc71a231599d02e09a2
SHA1e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA2569577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA5123e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d
-
Filesize
531B
MD536d98318ab2b3b2585a30984db328afb
SHA1f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA5126f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a
-
Filesize
508B
MD5e2832fbedae560495781610b5c511afa
SHA195f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA2566e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA5122e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9
-
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js
Filesize2KB
MD5df13f711e20e9c80171846d4f2f7ae06
SHA156d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA2566c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA5126c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e
-
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest
Filesize26B
MD54ad224c752c56e0b82d452325c80dfd3
SHA1e685fa7cb3a46d805416fd1f72f3b4522df9c56c
SHA25607bf01362953947b2dc34a780c89b75b9f7452a121b3a0e91715a95eee23815e
SHA512944289f554eeed2779236c4406b899ead223c4e5e09b4439aefb061e8fc55fc226489980b126300343f1b59771d169ac4045436cbe98310f4f68775d4858b9a0
-
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js
Filesize8KB
MD543d766520c63334f014e473600fb01c8
SHA1b32b379e5254b4014fa7b80bdf3e8bc14699926e
SHA25699d226daccc91d0c7c6d86fb6a3f09664f03be983ef31c7ee0e0790e93f370b2
SHA512d0e376a5564c4d435ce0648b5e6eb232e49256cccdee2fbc0e16fd180a466ca79f06b23fc813f9127e3bfab29a89484ccae165965fa45e860a107e96063931b4
-
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf
Filesize610B
MD5ba0b3179a6f36758ab2e1aa82afc6361
SHA187b9408fc373da37d73cf9b3f8a52c3233b54c92
SHA2568b4dd533d9571d566df8b4f1ae82a272d59881d9fe086002dbc626f4850eca49
SHA512ccfb3d66730bceb86ffd19c59b3fd9ba1dc850e0e1fb98b8d06ce2de71e9f2b51c15131c69eb01eb4cee45b2b71415c145fb9bf31b4297dde1edd88d439bff0a
-
C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\lsdb.js
Filesize531B
MD5b6d7dcc66dbb3f6fc3e112b2c1bee01a
SHA1c453ff9aeffed75ba68729fb40c291c887da5007
SHA2566b4168e801cbc6e12c67eb1227bacd8b3e3d1c75177d617caf53e0e3db8ec297
SHA512cc2579fc863128db86c349586b3c32ebcf5c52b534359b5933a95075e13179c5e644176258903f955bbbff40bc4860895958635d41c766959dc47197613e6c53