15062a87c5b7c0b847a21e6e0dad5b2ec06a95cf02780056d2b175f001dfd701

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-05-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe
Size

1.6MB
MD5

3bc3a65bbf1a6905afeb256146d69969
SHA1

62083da37c7e5e02050e5c913aa43d61b2d42b38
SHA256

15062a87c5b7c0b847a21e6e0dad5b2ec06a95cf02780056d2b175f001dfd701
SHA512

923cd3b35972b220676cf494ee7f02d2af74fbe3624b38a8f6207d9c98b274bd85d204d990482c81daa138067dca0ccce41aa74a29e4e351e0f21e615cdcccbc
SSDEEP

49152:WXql1PTpMhNxm+BZcb7K/dbzptGoZS1pqjSmRwLJF/:WXq/TKi/K/dSn1puOB

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2532	eohRxhj.exe

Loads dropped DLL 4 IoCs

pid	Process
2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe
2532	eohRxhj.exe
1148	regsvr32.exe
1364	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32\ = "C:\\Program Files (x86)\\CoolCoupon\\bJAwhX.x64.dll"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\ = "CoolCoupon"	eohRxhj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\NoExplorer = "1"	eohRxhj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\ = "CoolCoupon"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CoolCoupon\bJAwhX.x64.dll	eohRxhj.exe
File opened for modification	C:\Program Files (x86)\CoolCoupon\bJAwhX.x64.dll	eohRxhj.exe
File created	C:\Program Files (x86)\CoolCoupon\bJAwhX.dll	eohRxhj.exe
File opened for modification	C:\Program Files (x86)\CoolCoupon\bJAwhX.dll	eohRxhj.exe
File created	C:\Program Files (x86)\CoolCoupon\bJAwhX.tlb	eohRxhj.exe
File opened for modification	C:\Program Files (x86)\CoolCoupon\bJAwhX.tlb	eohRxhj.exe
File created	C:\Program Files (x86)\CoolCoupon\bJAwhX.dat	eohRxhj.exe
File opened for modification	C:\Program Files (x86)\CoolCoupon\bJAwhX.dat	eohRxhj.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	eohRxhj.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	eohRxhj.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Programmable	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon.4.0\ = "CoolCoupon"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon.4.0\CLSID\ = "{81165607-381D-0CC2-2465-D0D4EF1ABA53}"	eohRxhj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\VersionIndependentProgID	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\CLSID\ = "{81165607-381D-0CC2-2465-D0D4EF1ABA53}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon.4.0\CLSID	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\CoolCoupon\\bJAwhX.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\VersionIndependentProgID\ = "CoolCoupon"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\ProgID	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\CLSID	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	eohRxhj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\CoolCoupon\\bJAwhX.tlb"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\ = "CoolCoupon"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon.4.0	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon.4.0\CLSID\ = "{81165607-381D-0CC2-2465-D0D4EF1ABA53}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\CurVer\ = "CoolCoupon.4.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\ProgID\ = "CoolCoupon.4.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	eohRxhj.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\CLSID\ = "{81165607-381D-0CC2-2465-D0D4EF1ABA53}"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Implemented Categories	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CoolCoupon.CoolCoupon\CurVer	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\Programmable	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\CoolCoupon\\bJAwhX.dll"	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	eohRxhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2608 wrote to memory of 2532	2608	3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe	28
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 2532 wrote to memory of 1148	2532	eohRxhj.exe	29
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30
PID 1148 wrote to memory of 1364	1148	regsvr32.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	eohRxhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{81165607-381D-0CC2-2465-D0D4EF1ABA53} = "1"	eohRxhj.exe

C:\Users\Admin\AppData\Local\Temp\3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3bc3a65bbf1a6905afeb256146d69969_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\00294823\eohRxhj.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/eohRxhj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2532
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s "C:\Program Files (x86)\CoolCoupon\bJAwhX.x64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\CoolCoupon\bJAwhX.x64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
106B

MD5
3e7e8d7dd8cff1a2c2604caaa0e2a938

SHA1
c7a0b2edb379ddc93cf4dc69ec20500253a20d73

SHA256
64a8fe708c1fe75af73905615defe756284f57e3283b6bc39b2d98e2a598d8f3

SHA512
325c41e4d7f0c82674f3ad0797a4e2ad6c476a75777bb11d648875e7ba0571bcebe1e74c2ec0f518970e47e1e2f7375159f108a0bae4bd376d8d736cf92c92b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
79677baeb303b3c873f3a1f922f29ae1

SHA1
6631312f11e8b325d739ec351dc31ec500421875

SHA256
944541581949a6b8e8470596c4d4b298d1f967edc05e33b801a3ae65d9df6d03

SHA512
2b3cfea9b22183bdfb6e89ad86ff8310b349b3368d93ef6bc20c13e922882fad8e57ebe9339a1adb2b923b275b681105e413a6fd5a5a505a17e7a8598e09eed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
615B

MD5
9a7bd9923919f803199fac78771ef086

SHA1
680ef8f8a96b790770cbda72ae6f320e50dd6c2a

SHA256
261209a06f046388a9529ec8bd0921319b25dc471b8cc5608a56a6faccfec51f

SHA512
9d1109ab4217d16e9911128ee0013dc04736841ccca713aa9a5ba5ff51fde6dfaf11820a4a11f083ac691d202d1ef59c86496769ce9aafc3ecc5b6c156451425

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\affefbdioemkciihoeikbknbnkfbmenl.crx

Filesize
8KB

MD5
3555dced9f3a868c4a8a5ad38978f9f7

SHA1
b2009130919c6dabb8210d4464984273257c71a2

SHA256
8647190f5c661c8e1f17ed60e330649524a1a2923e0bc1d4e89b91b123aff4b9

SHA512
33b51be8d00132f2f72bcecceb4d218b8f744ed06091c8e8911e9ce7f4cec2e36cc2b9fb0df5660fa4e209692f338f392a33e141fb65840858110f25697f8b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bJAwhX.dll

Filesize
416KB

MD5
b5e8219112f5de28e71487fd8c367b8f

SHA1
cc60f4497ee2328e43e89474c412d75a90be2e1b

SHA256
e23b94a809d4306dce3c0fb5a7dc76ad25e133cb74daa489629419ba1d849ebe

SHA512
d4dd2a41ab9c17125263824f3f4b5c6f3a5f8dc7c78adc298391a6a18b495a521388e2c8524c5050b7452df89d048a12b014e711fef7e4ed8b439d8959a7357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bJAwhX.tlb

Filesize
3KB

MD5
8d1f5f85eefb09e07c0f1357289b7251

SHA1
f9e39ac9d8e978d8fe834c527a6160eb58392e77

SHA256
2e46c45652d03653c407468ca871f4e910b4cec36af85853e2bd06f3fb7ad4ae

SHA512
df483e23bf19f90b07cf70d5e4bf7a26ece3bea39cc78b0dd652d179890000ec2c603841f5354e27676f60055094e13749ad6fc11dcf56aa8be32a8a7d916fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\bJAwhX.x64.dll

Filesize
463KB

MD5
51869d78edfbeb04d0805522d9232518

SHA1
4c1a736dbf800b83580265a6c6ae2ebd13e0b3cc

SHA256
5b9f026657796490c626a88c1b7533fc23a1ee92b4bad819f4d0940e18d0c7ae

SHA512
9f99165b2c27df5f43131d857340aeb197d24b00a7176943c98f9b45bd7919e4ce002f68c9c1ed03424f42a1ce94ff3968b315cf9f6d2edfba708d86fc2c03fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\eohRxhj.dat

Filesize
3KB

MD5
231dd3f985d8a82c0405f544eaaa1789

SHA1
529e874f63651aeae5a154bf1a5e025225a16a3b

SHA256
656dbca69310ad368e9d6d4178822620b86b46d4fb7f8a218cb6d218f3c7f5a0

SHA512
85baa9ce764963888103b634bf1c4080c4ec2f0e7c6a8a22814b83daa4bca1b89cde5ef0aea340477bf08cd178d2dbfe163be1c367e5b1bc5486413edf1f92d7

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\eohRxhj.exe

Filesize
489KB

MD5
a0b8b6a6967532631848d298e7947584

SHA1
921e36f888e2a9fbc73c381109526ce1ea874999

SHA256
cb90dc623c6927c7d6aae483b917e2b4aca0ed46d0d619dd7fe9fc3e9d74d90f

SHA512
773e03d2bc7e7ac4070d238092364060396682b94289aec1fd07dfb91c3e42bbbc0069bcf50ae29750409f22ccbcdecd13c7555a1e3346272b0838d30202287a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads