f4665a7274e113691256ab2e8d894098a5861558492ad71ee76544d029a172c1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
Size

1.7MB
MD5

68ea74d81032cc2063e38713d1f60bc7
SHA1

10c89db2da989a74986c313784ed3911bd619ebf
SHA256

f4665a7274e113691256ab2e8d894098a5861558492ad71ee76544d029a172c1
SHA512

d71471c665b33bec2ac1f3504d7f0f3d167d111d5d71f61f9586a41cb7059a011d680b7eef935aef45a316681553f97de5e1f4c5204827c2c538e52cbfcd02de
SSDEEP

49152:Xh2qFcpFKLHn+om6N28ti3HqU/S4j8B7T9:XhxGFKT+F6N286KA6/9

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WebActiveEXE.exeTimeGridEXE.exe

pid process

2708 WebActiveEXE.exe
2556 TimeGridEXE.exe

pid	process
2708	WebActiveEXE.exe
2556	TimeGridEXE.exe

Loads dropped DLL 7 IoCs

Processes:

68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exeTimeGridEXE.exe

pid	process
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
2556	TimeGridEXE.exe

Drops file in Program Files directory 27 IoCs

Processes:

68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\postproc.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\IVSJsonSdk.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\MCL_FPTZ.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\mjpegdec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\timeAxesDll.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\aacdec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\mp2dec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\npTimeGrid.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\g729dec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\g7221dec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsLogic.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\FileOperator.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\DHSurveillanceDll.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\npmedia.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\hevcdec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\Version.ini	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\IvsDrawer.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhnetsdk.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\dhplay.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\VideoWindow.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\fisheye.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\mpeg4dec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\uninst.exe	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\h264dec.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
File created	C:\Program Files (x86)\webrec\WEB30\WebPlugin\FisheyeCtrl.dll	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exe

pid process

1756 TASKKILL.exe
2748 TASKKILL.exe

pid	process
1756	TASKKILL.exe
2748	TASKKILL.exe

Modifies registry class 64 IoCs

Processes:

TimeGridEXE.exeWebActiveEXE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\AppID = "{56422B45-FCAD-4B20-9C5A-A72686EE43F6}"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4825A5A4-6D6F-4852-86AC-296295CB3A01}\1.0\0	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC76FFFE-A40A-4DAA-BC51-CAEBD5B5434C}\TypeLib\ = "{4825A5A4-6D6F-4852-86AC-296295CB3A01}"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\ = "Plugin Class"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\MiscStatus\1	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin.1	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin.1\ = "Plugin Class"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\TypeLib\ = "{4825A5A4-6D6F-4852-86AC-296295CB3A01}"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD09A797-F29F-453D-BA05-43E3A7BCC433}\1.0\HELPDIR	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\TypeLib\ = "{DD09A797-F29F-453D-BA05-43E3A7BCC433}"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin.1\CLSID	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD09A797-F29F-453D-BA05-43E3A7BCC433}\1.0\ = "WebActiveEXE 1.0 Type Library"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\TypeLib	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin\ = "Plugin Class"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\ = "IPlugin"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\Implemented Categories	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4825A5A4-6D6F-4852-86AC-296295CB3A01}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\webrec\\WEB30\\WebPlugin"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\ProgID\ = "WebActiveEXE.Plugin.1"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\LocalServer32\ = "\"C:\\Program Files (x86)\\webrec\\WEB30\\WebPlugin\\WebActiveEXE.exe\""	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\TypeLib\ = "{DD09A797-F29F-453D-BA05-43E3A7BCC433}"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\MiscStatus	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\MiscStatus\1	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\TypeLib\ = "{4825A5A4-6D6F-4852-86AC-296295CB3A01}"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\TypeLib\Version = "1.0"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\Programmable	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F9063B6-E081-49DB-9FEC-D72422F2727F}\MiscStatus\1\ = "131473"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ = "_IPluginEvents"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\MiscStatus\ = "0"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\TypeLib	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\LocalServer32\ = "\"C:\\Program Files (x86)\\webrec\\WEB30\\WebPlugin\\TimeGridEXE.exe\""	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC76FFFE-A40A-4DAA-BC51-CAEBD5B5434C}\TypeLib\Version = "1.0"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{14E214D7-AAF0-4E41-9203-443828953DB8}	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEDCA323-84CC-4294-8C8A-866137D44A02}\ProxyStubClsid32	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\ProxyStubClsid32	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\TypeLib	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{14E214D7-AAF0-4E41-9203-443828953DB8}\ = "WebActiveEXE"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TimeGridEXE.Plugin.1\CLSID\ = "{15EF48B3-D5CA-4321-A186-EBE7B15392F1}"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC76FFFE-A40A-4DAA-BC51-CAEBD5B5434C}\ = "_IPluginEvents"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{56422B45-FCAD-4B20-9C5A-A72686EE43F6}\ = "TimeGridEXE"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\TypeLib\ = "{4825A5A4-6D6F-4852-86AC-296295CB3A01}"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC76FFFE-A40A-4DAA-BC51-CAEBD5B5434C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\ProxyStubClsid32	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{42D32C3C-E614-422E-A061-6BDB18A7165D}\TypeLib\Version = "1.0"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebActiveEXE.Plugin\CLSID\ = "{7F9063B6-E081-49DB-9FEC-D72422F2727F}"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebActiveEXE.Plugin\CurVer\ = "WebActiveEXE.Plugin.1"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\TypeLib	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TimeGridEXE.EXE	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\ = "Plugin Class"	TimeGridEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\TypeLib\Version = "1.0"	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4825A5A4-6D6F-4852-86AC-296295CB3A01}\1.0\0\win32	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebActiveEXE.Plugin.1	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebActiveEXE.Plugin\CurVer	WebActiveEXE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE2DC66D-C162-496D-953C-C378F8B9B43F}\ = "IPlugin"	WebActiveEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15EF48B3-D5CA-4321-A186-EBE7B15392F1}\Insertable	TimeGridEXE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EC76FFFE-A40A-4DAA-BC51-CAEBD5B5434C}\ProxyStubClsid32	TimeGridEXE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TASKKILL.exeTASKKILL.exe

description pid process

Token: SeDebugPrivilege 1756 TASKKILL.exe
Token: SeDebugPrivilege 2748 TASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	1756	TASKKILL.exe
Token: SeDebugPrivilege	2748	TASKKILL.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe

description	pid	process	target process
PID 1276 wrote to memory of 1756	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 1756	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 1756	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 1756	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 2748	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 2748	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 2748	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 2748	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TASKKILL.exe
PID 1276 wrote to memory of 2708	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	WebActiveEXE.exe
PID 1276 wrote to memory of 2708	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	WebActiveEXE.exe
PID 1276 wrote to memory of 2708	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	WebActiveEXE.exe
PID 1276 wrote to memory of 2708	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	WebActiveEXE.exe
PID 1276 wrote to memory of 2556	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TimeGridEXE.exe
PID 1276 wrote to memory of 2556	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TimeGridEXE.exe
PID 1276 wrote to memory of 2556	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TimeGridEXE.exe
PID 1276 wrote to memory of 2556	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	TimeGridEXE.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe
PID 1276 wrote to memory of 3012	1276	68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\68ea74d81032cc2063e38713d1f60bc7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM WebActiveEXE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM TimeGridEXE.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe" /regserver
2⤵
- Executes dropped EXE
- Modifies registry class
PID:2708

C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe
"C:\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe" /regserver
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2556

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "atl.dll"
2⤵
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\webrec\WEB30\WebPlugin\timeAxesDll.dll

Filesize
96KB

MD5
559c9a30db9b9fdfd54ab29c88c5909a

SHA1
4b49e6abc9433cd0c81aef99482a01be385764f8

SHA256
af5d26108c799b176f4ecae32fa4b09f10b29cd0dae13c99b16600aae13eeb4a

SHA512
d2c24d21e836bfd913737d735386d7b6469e0fdd8d90171dada836be3455e0d0f20ea929e397f263075738cd6a5060978b905dacfb25793094d361231b0c1ca4

Download Submit
\Program Files (x86)\webrec\WEB30\WebPlugin\TimeGridEXE.exe

Filesize
52KB

MD5
af50127a954067653a489b703e19eec0

SHA1
3664f6855dcb2ad142e2025e3b803fccf25f0113

SHA256
e3315101016dac8499cd41342ad82d50acda5f832256a439391908e509082103

SHA512
071dd32f257194b35d912d35ea1421282b5962fe9985aef5a6b7380ce5e2d71310fc78f75e9c1c374078871b2e1c6f4a47a5ec2e90de684f7d06cd47bd9e6719

Download Submit
\Program Files (x86)\webrec\WEB30\WebPlugin\WebActiveEXE.exe

Filesize
144KB

MD5
19734330434bd0ff9a79299abaeee6e1

SHA1
1dc0cf02842fdbae933bed05f9e12441ba66ab87

SHA256
782d58dc5c604d3f63b1c07dd3a436f9d5390849dc42a852c22ab6b623c69758

SHA512
ff631ada408a7a89642380262cb3337226acce50386e226e723e01b47d7bffbf16a234fec94d7329a26be50ffd1677924009b8192d236bdeb103f1c6bb23f93b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1373.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit