04dad9f8a3f3ccd1e93c5a52d18ecc16ed30d317f8c2e2b9d015b5043459e331

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Size

461KB
MD5

68c77dbeb56a74da63fa82a9f552ef0d
SHA1

d5ef2d8e9054c112d290c0d0ee6a47144de82472
SHA256

04dad9f8a3f3ccd1e93c5a52d18ecc16ed30d317f8c2e2b9d015b5043459e331
SHA512

b0f69e24d94961f76270e2f0fac8358ff67a9aa00a1b1e417824f5fd3a226caf3ce25637b39a468862391918d9cae16fccaaca3c144255493b20f861c9f630ac
SSDEEP

12288:iPptoY05ee6U1gx/ewbQTSoKZjdsjpcPmo:U4ee6U2/XbQYsjpbo

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C2D0D931-1886-11EF-BDEB-D6E40795ECBF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000509d543b2cb298498cde1a94060a5e7c0000000002000000000010660000000100002000000091c4581ae4ae69a139b8f47c42314c771e381a5aa187ff3593bdab21a58145fc000000000e800000000200002000000029acbbfeb0bc70f9a533ee0c931095ad946b7b36070f89210a82d5299f71139d20000000d94edb248581e715c13e8eac9e42e438cd10414472f4ce154148b75ad7d5f636400000009cfec542a544e0119d2344ded8d99d2a3fc3ed5ad2ae4810ac37c37043267d4b5561a6afd3bc9d1f62eab05f76dae3b5f7412c97521b64a4ede82da006d70a6f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422577122"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e056009893acda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000509d543b2cb298498cde1a94060a5e7c000000000200000000001066000000010000200000004e6bbf19062f8cfa3f181b72b8d6a28fda66f3ba02c5b9e0381d4e96183ced67000000000e80000000020000200000004e5a3dee27854c63e8942c9c9998aea2091274a445cd3d9669e390d72b1ef25990000000bdc8e5bdbad70d70d61f6443e077d9817faa174b74f4fc4fb6a98cd7f174b1b62145d6aab8f7b202fe92877b355c33f09f7de09e68ccbd51e8cb9fe2171788543a2416ba25813001829aecf664400dec48a00e44e13423686c10b685774213c04bf6837e52a8604f5599af9cf5f0d1073689e9f20eba774299133c2bc2bc1becb1101204db22c8e4d9d93c8288815d7640000000b742c5767fdd1506ddcfa7a3c4fa3cb4d9b2c2dc059e049510008305016848b263c6c66311a01cf9e5630ddf2afc4e8190ba460c3a786b6f8c1881f3186b224c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

pid process

2416 68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
2416 68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2452 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2452 iexplore.exe
2452 iexplore.exe
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE

pid	process
2416	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
2416	68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe

pid	process
2452	iexplore.exe

pid	process
2452	iexplore.exe
2452	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2452 wrote to memory of 2624	2452	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 2624	2452	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 2624	2452	iexplore.exe	IEXPLORE.EXE
PID 2452 wrote to memory of 2624	2452	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68c77dbeb56a74da63fa82a9f552ef0d_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://crusharcade.com/ca/thankyou?s=6%2BnC0dS2x8rB1tDTz%2FLXx%2BTAwcv%2FsbHHusHHtrC1wsG7wbW3tv%2FFwsrPxsc%3D
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2452 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
64c143e9f2a438ddf74501d3b3cc54bf

SHA1
66b41aabcaa5c364d405c858b85fa7a995f53c72

SHA256
02802fa86c2539668fb375ddf8b3ffa5a6c7ad8ae0050c3471dc9fca1275c0ca

SHA512
9decfe443630833dfc6c4e2b728c0395d0cbd59a5d868639f300244c4c61df6540b21d33497a8dd4e1947aaef02e4cbc815f53acc21d70ba1653d9492f438e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
dbeb69d7cc2118606f37785105229493

SHA1
6dc5f9a68160fb6624d0dbbc998b80be0be096d5

SHA256
11ed3870144f305faeb6ff29236d9ff32c07fedb1066a837eecbc87efa63359b

SHA512
19ce43a4f286ae3db619623ce79b2021946f1c177a291756f9a13c0fadf7232acf1e3da8adb118b8d8cf79402f05f9728ce001dddbb4ff372334f6bd95edef9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
2817239b8434a9427d888cddc31577c8

SHA1
ef9789b22324d86214acf85c4f414d3beffd7ddb

SHA256
fe5df630571fe7fb551630aa9a24e089f3d5991901b611cf8f868fda79e47f55

SHA512
eecc34602893209a0de8652ea172ef0f4d44dca0a5edb93172ab4ccf20a530cd72d4fa9ef5e9ac4f2f8c676414c8fe3eb28b40eab76c86f675679daeadab179c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d3283f5e4937b9dcea9a34f865c8d8c

SHA1
f29d849b93648b33c28ba8ea15f051743337861f

SHA256
00d1a0758823ab38a8d97b38e847368793958def34452499dde3dee54efa2618

SHA512
13801fdf121ce646a1838a88d6893afb866d3448e036c102a51a438adba34206b876200e670fad16eac08d3d22f1f85ee6182bc5fe4e4dac69919fdbfbc917d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b5cfe63f42cc11e229a7ac7487225d9

SHA1
91539e93caef30ffbe6a2f539f23ac240a6bc5fc

SHA256
ec4c044db1b7335dcc3f10e9fd298d124daf41b542ba8e27989c6264d0984ef1

SHA512
5e901abcc129ab195ea63914ad101aec8559c850cf21ed16ecb5bba501b5f4119074621535d146a12b086b94ec498851be546852254c1abcc78bb459308c09d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b79129102944174ad4b0318d1030e8e

SHA1
8f2424f786235c392cd4c3d8e2035bb5c54c371c

SHA256
08eaf810a81bea9882b75d07461276d3c9e1308b92c5ff49ec0bf23f06d82bd5

SHA512
aa79eb3ec71e02cdb1892f416022fda326889dc5fe961ad6dfe699b2ba2e512c1be6537f9aa9c2aca100168208248f9bc7bdc2c1c25ffb635e47b84f60373f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4a38db1e98377ea04360d23d3857884

SHA1
3f1e6f12b8c9ce2a65f7ccf9de29a9e32e041713

SHA256
5d9f06913bda2db10ae4953aadd743fff3fd1db897073be1cebb6bf6e1934e45

SHA512
b9d3b2bf776bcb7268be98c7c0f726c138589a808cac68b1673acbef7cdefae3e2f829e28e4f5f1b5e99bb1b5b7fc16acdb0c4640bc0442aa2f22b416142fc8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e32d3fe150c94868361b6df7c7c82a07

SHA1
657e4642ec486e1f2803dfd263ba08e724abfb06

SHA256
433f974d17c33cd227672516ed416e51df8981f5c00460d3056c7fdb832c8979

SHA512
763f2546dbe5718d0add3ce02641bf2675fbdbcb8c65f0ce655ebc48f70d0c1c867dfab5780c5068ae3bd3e659a8d8d59c39e05a48e4dddf523c9a8805232486

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e764e3b1b86bf4ca84d0da060436ca5

SHA1
97a5fbd23eb08761371ad6fcb5d25263015bc064

SHA256
0103e1a7588b73e00975e52fbd29bc7f8bb8b8d6d84322fd63477735777a5d0a

SHA512
e287230cf54fca55b11ef78ee18e2c31275f71b3c0a307386a29e0b23f1681e11452db66790229eda3a7debbce988336c1328b654a838f437d923383475d0e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddf62c60bd9b646db2f688a0994a260e

SHA1
4efde3e0fdb367e5815bdd62c560d8c866993c50

SHA256
68df1dcb2ae4b7c4fec399bcac366374f21112052613ec4b9fb58dbeaab4bed8

SHA512
54b80bb37367e5ca5f88c1fdcd59497c7f7b2c355e32dbce0393d7da3dda12a596248d5328becfb5326c5fdfde471f533c488d406736b9ffc981cd75f1e7eb2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1c95857a6b1f0db1384c84f4cb0068e

SHA1
6a85961810a8831a9bbfa7df83ac2010dfd8d636

SHA256
ccaa1aaa159101bf34874b527d1ef57ef851f037851414276039a315e58f4c95

SHA512
ed7336ecd1c5d1bd66f2ef35e76e0b02b4214001007e80f3684f6ccde220831261066825b7cfa4131e0515f86bcb60232d7191204a65632136f7b028c78b5316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
274b024105b907b4a0540a7ed86310e1

SHA1
df19d6b740d989311b86f57938b60cb404b5f380

SHA256
052a66963c62b81b8cacce60e00121e2b7bf99a92f9d87ddf7e0749320273ce4

SHA512
ad7165d0e64414e5eb5a8b321313b81d5418951c1d855a07b2c211a89bdb9048271962ec7987c8101fbd9f589bf53442fcfd40db09fb574202950039b55a85fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dac532f83941aea78231f25d8d18d111

SHA1
50e37bcec597015928568ad8f6939c8daaf29398

SHA256
4fc04979b0f27319c236b402491840c34283a9a91dd18ba0a27a659677a0bbc3

SHA512
b9401dbdb8739c10da5eb3c913144430704fd9d134b9f297bcba0f944df234b7d420933e804a84be91f4c5f98f668cc6114de11f10722fbebaee490e40f73b02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35edc5610ef3932da7cae8245d0803b8

SHA1
301d7b7d8211041735d95db788f4b8c186fa7ba6

SHA256
614d7b942f40026a81094181f7d1d9d74bdb7a9006e8ad6f33e2e135fb2ccb8b

SHA512
e3128764176612643f3056078a73005d47a46734b2b5dbad2cfa648fbc7edec7acb8eead0490bea1884d23dd8e7c79951ac41e503f78a28732d3cdfee924eca2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66bca0d69633f8457ac67b0789a857d9

SHA1
07854f8a78bbfa5632c6b452242a68e9cf0c49cf

SHA256
dd55672522b5ec878cdb8490a328a7e426c67fee95096ce2b3102dd83af8ce8f

SHA512
a34acc53503f5bb457e8e9ee2b37c910e74790572dab69f532726ed6d785c4ec9f157ed9f631f44ec7cde221217a55d24500d80ecc2d4194f8bf6cf56057d9ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c0283ed931904d27e62456672ce8606

SHA1
1ffe1208a7602cb1d25abd7a47509724bb5e77ee

SHA256
c7c996829e7bf5dee4867234edd06f78eb4291df2fe6c9956a876af4a7a7585a

SHA512
42b6eaefb2cfde8d9734f4593579de76030c37a6a522f4d0c53418b0dffcec9ff39ef776ee2a47059be414c4c4eb403282a486a570e6ba458c204446b93d5bfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d92e68d9dfaaa4647b88fde575f7744

SHA1
8b0bd789d90587563775ff45fd7fb98311c6b569

SHA256
4f19a0695e223d4c855fd61dba109383663cf63f2f5e8a5e0b1b78ee9c8c0122

SHA512
77f4256ea93c351e5575e25eaa6b92fcad14dabceb20299b629cc7c9f681aa696a33f24ccf3d16aeaab6c98dc58d5b0dd02084586892b5ee09beaf521d1d5764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2307a89d4062886e74efeb1a34927170

SHA1
8dc974c0b0f67959f91709bdc81134fc40351dbb

SHA256
95514611b2342c8fab5efb18417083cef64d8104a63bfd2d840413d5a98ae0de

SHA512
4856916dece352e2a95f2db5f717319eb49d14ee2569301b13d46e849f742e64976d1df632bfc1de43d0970fc8620dd0ac75fafa334faa6ad05c76d4a4f2b02f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5f33a77372f3addf1169cbfc7ad9411

SHA1
9bf903d908b5a92b39a7b9a1dc77cf15c5a99f30

SHA256
c6a7246728f9e52f8f3630e8365f12d7df7a9f2d5ade9815617ee1618b112776

SHA512
a6a74647293b1863e2f481b20d2cead4c637bee6d83628dd8bcc8148f819f5623097c4085c27f8b91d7c6fe83b33363349032b18cc5226ea71a6b81b021da5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
740b6781097e68d94b36249caa140e35

SHA1
0c95d0dc78793086e070d453ece491e803fe0dd0

SHA256
8a0c7d39906b14631eef0558dd0b1047e81fe77a8b7cecfb56285f6b71c90a52

SHA512
7a71e586e552b1de3afa524d0696bb5607313c22a37ef44eb8bf26b426ffe23bcd66ff4c79d5cf1895e237287a63eb2a4f94b5ea010c3fb9ce14568adfc186ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3371545725377d5ab3e2dec15414723f

SHA1
4ee0d3c58351164cf708fb7c1a0aae777143fa3c

SHA256
366c7d44456b17430178d7378f47d3858fc2826fd561d36bb4095e0000fd0332

SHA512
136b735868b20c59349d8b694b29a204e6043934027899354bb05baa889ccdfe2ee275c3a1f0af6a157960af12a42806e1135960e4b6c61c3d01746506e71919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
715ee51545558d15c8067101e78c0f6e

SHA1
7d718d7de518a687a262330e3763ecb3930c647a

SHA256
06bd3f52cef420f2589efeda02df993109d114fd6379c2cb5c2bea0e2bfff8ee

SHA512
aae0874a70490614e9635117bd6d9204a1faa55a1cf58846ce839c0d6170ab8af88255923802e5c8950b7b8094ae3029aa7e057a4bef71c4ebe0c99e73e20382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa4b3b7cf3a24a63df53541b309d9a7a

SHA1
350f0d2c6a8705781452a86ebf4dc52630f83d24

SHA256
b719ac532eb26b4767aa25049d0261f9aae7eb1a78ad502825e62a3e5fc17a8d

SHA512
1d3e08f35bd3a51ed4222edcc961826edf65a18fff7082d07bc78abbc446cefc6d0e3b897da0afdd637f64c2f80d403f6b440ae4fa08683ab80955476fed71a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
cd6e00fa1c752aaa5b210e1b3baa0703

SHA1
238e0ce02a94d5bd3828da4f92d5895511059eae

SHA256
d79b795a075cf37e841f7e86ad921227ab932783956e15d54617be51bc9ecaf7

SHA512
f1bd124ab9d5e81006cd285711c04438b0941c3e2c02ca51c54cfde786c140421f1c0726134cb152b584d8fd8d9f44674dac1fcfad5badeaf20eb966d6afd12c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
dcbe48bbb7e38bae71debd1e9087ebf9

SHA1
d61f777fcc5d4a0b6e37261b33fafa07c2d8b328

SHA256
a6b11850a901e54c08752980d49f2928cda26df0b04ec4cfda687a91ee459b1c

SHA512
247762ffee8293ca424c79151db9e6f42c2d1312f1d755e5313d61d4fd84d266fc814e02bde8d4f6f1c4121e219c3a1aa6c882a360365b65a10588b12ddb703b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s8rbov0\imagestore.dat

Filesize
1KB

MD5
1cb962c625e83b3dbdcda60be89bdd6a

SHA1
ffbc96f16d25898fefc5fb6dde9bd732025d9106

SHA256
481233ab2d7b4f0a9f707f7c3d40141ec128f161281af4fe87b9954293ff8217

SHA512
d764b7a7b4e5679d9b89920409c40c84f2c5b86d22f362cde33601b339efe2e115a6a18de6cdd88e8d8f3a7b6c76feeeff9269003d544ccdf69e55210a9678f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1N5ZRC4\favicon[1].ico

Filesize
1KB

MD5
4151d6e7572372d781a007caa3162cdb

SHA1
33d3f5d9b3d837b1c40cd89695aec459263febb8

SHA256
b564c7e8933ff4285726b6695c6b6de3cb52b11360d1121a6842c8cb39f2717d

SHA512
fd7aabd165edf80e5404317ce519095c69d0f8586acb200e9d8c5a12788e39c3222b48d43a1e18665138a227695041dec3b1bcc49408f24b31405eaca566119f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar230C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2416-38-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download