a1b49c96c5804173b0b616cb908aab32ca70e1eece7f803364533e628bd6a3e9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Size

12.5MB
MD5

8d929122aba28ca23cb53c0a2f3d5859
SHA1

f0ebd876d386eac18ef055703d7eda4d1209ff2e
SHA256

a1b49c96c5804173b0b616cb908aab32ca70e1eece7f803364533e628bd6a3e9
SHA512

4d8b5dd939f97983e5a00c54829e5f80a082c7dcf0d75c052606dd750da93905657fda1da9b7173c14d66de3e6beb9dc3c48145eda9aaa90b41066c579f66ffa
SSDEEP

393216:5xN+83+JUzBKcIbEqzqDtH9MtV2ChURiGQj7duT:h+80aBuNmrMtV2I0QjBW

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1848	SwHelper_1235205.exe
1032	SwDnld.exe

Loads dropped DLL 4 IoCs

pid	Process
1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\SwHelper_1235205.exe	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Dynamiks.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Font Xtra.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Havok.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Speech.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Swadcmpr.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Windows Media Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Cursor Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Shockwave 3d Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Director\M5if32.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Director\SWDNLD.EXE	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\BitmapFilters.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Font Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Mix Services.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\PNG Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\QT6Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\RealMedia Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\SWA Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\XMLParser.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\DynaPlayer.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Flash Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\INetURL.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Proj.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\DVD Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvcp100.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Director\np32dsw_1235205.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\dirapi.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\MPEG 3 Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Multiusr.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Sound Control.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Control.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Animated GIF Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\SwLogo.bmp	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Netlingo.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Plugin.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\CBrowser.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Sound Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\F4VAsset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Sun AU Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Swastrm.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Tiff Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvcr100.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\SwMenu.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\iml32.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\AudioFilters.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Director\SwDir_1235205.dll	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\SwInit.exe	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\AudioMixer.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\DirectSound.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Dynamiks_320.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\MP4Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Director\M5drvr32.exe	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\swMSM.msi	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\FLVAsset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\MacroMix.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Netfile.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Targa Import Export.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\TextXtra.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\shockwave_Projector_Loader.dcr	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\Xtras\Text Asset.x32	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Adobe\Shockwave 12\uninstaller.exe	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieuser.exe	SwHelper_1235205.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240602091312330.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240602091312408.0	msiexec.exe
File created	C:\Windows\Installer\f76149d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76149d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f76149a.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312330.0\msvcr90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312330.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312330.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312408.0\9.0.30729.1.cat	msiexec.exe
File created	C:\Windows\Installer\{612C34C7-5E90-47D8-9B5C-0F717DD82726}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f76149f.msi	msiexec.exe
File created	C:\Windows\Installer\f76149a.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312330.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312330.0\msvcp90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240602091312408.0\9.0.30729.1.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI166E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}\ComponentID	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{39A895E9-93DD-4ffa-A4A3-2C14608B5B61}\CLSID = "{AF551664-D2DF-4E34-85DE-46320B13A0B4}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68934FDE-CDB1-42CC-A38B-A44B43B0785C}\CLSID = "{D21ED08F-6B88-45EC-A71C-6BD453B561D0}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{39A895E9-93DD-4ffa-A4A3-2C14608B5B61}\Policy = "3"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}\Locale	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{39A895E9-93DD-4ffa-A4A3-2C14608B5B61}\AppName = "SwHelper_1235205.exe"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\Locale	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68934FDE-CDB1-42CC-A38B-A44B43B0785C}\AppPath = "C:\\Windows\\SysWOW64\\Adobe\\Director"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\IsInstalled = "16777216"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68934FDE-CDB1-42CC-A38B-A44B43B0785C}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}\Compatibility Flags = "1024"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{39A895E9-93DD-4ffa-A4A3-2C14608B5B61}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68934FDE-CDB1-42CC-A38B-A44B43B0785C}\AppName = "SWDNLD.EXE"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\ComponentID	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave\application/x-director	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{166B1BCA-3F9C-11CF-8075-444553540000}\AlternateCLSID = "{233C1507-6A77-46A4-9443-F871F945D258}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{39A895E9-93DD-4ffa-A4A3-2C14608B5B61}\AppPath = "C:\\Windows\\SysWOW64\\Adobe\\Shockwave 12"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68934FDE-CDB1-42CC-A38B-A44B43B0785C}\Policy = "3"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}\Version	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}\Version	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DB2E429-B905-479A-9EFF-F7CBD9FD52DE}\ProgID\ = "Swdir.SwInstallerCtl.1"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21ED08F-6B88-45EC-A71C-6BD453B561D0}\ = "SwInstaller Class"	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9CDE9DF-EC36-4649-8D2A-05FEBDC77167}\ProxyStubClsid32	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\TypeLib	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5167A27A-8594-44F4-86D3-D3946DB2200E}\TypeLib\ = "{6EF568F4-D437-4466-AA63-A3645136D93E}"	SwHelper_1235205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\VersionIndependantProgId	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus\1\ = "131473"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{644F7CB5-EE49-44FC-8587-FAA5EC7A2A3E}\ = "ISwInstallerCtl"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083BBEF3-E0FA-42C1-897B-2EFA642F6654}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{233C1507-6A77-46A4-9443-F871F945D258}\EnableFullPage	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F3CB77D-D339-49e0-B8E4-FECD6D6F8CB8}	SwHelper_1235205.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0103A448-2934-4B3D-A54E-FED761D472E0}\ProgID	SwHelper_1235205.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dxr	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4DB2E429-B905-479A-9EFF-F7CBD9FD52DE}\MiscStatus\1\ = "131473"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC4C21AD-9194-416E-9D34-D6C1350F28F6}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{166B1BC8-3F9C-11CF-8075-444553540000}	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SwBroker.SwHelper.1\ = "SwHelper Class"	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1BE04D7-6B93-41BB-BA82-57715AF97013}\ = "_ISwInstallerEvents"	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\MiscStatus	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl.1	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0103A448-2934-4B3D-A54E-FED761D472E0}\ = "SwHelperAttributes Class"	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D21ED08F-6B88-45EC-A71C-6BD453B561D0}\TypeLib	SwDnld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28310B1B-B757-4b87-9AFA-8E5FAF126156}\Programmable	SwDnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{166B1BC9-3F9C-11CF-8075-444553540000}\TypeLib\ = "{AC4C21AD-9194-416E-9D34-D6C1350F28F6}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E7E1E16-EDBF-4F68-85D6-CD8D4CA35A53}\ = "ISwInstallerCtl2"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5167A27A-8594-44F4-86D3-D3946DB2200E}\TypeLib	SwHelper_1235205.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28310B1B-B757-4b87-9AFA-8E5FAF126156}	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9CDE9DF-EC36-4649-8D2A-05FEBDC77167}\TypeLib	SwDnld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{644F7CB5-EE49-44FC-8587-FAA5EC7A2A3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SwBroker.SwHelper\CLSID\ = "{1F3CB77D-D339-49e0-B8E4-FECD6D6F8CB8}"	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SwHelper.SwHelperAttributes\CurVer	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{28310B1B-B757-4b87-9AFA-8E5FAF126156}\TypeLib	SwDnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\PackageCode = "F8F878226323DDF479B6F68557C31269"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SWCtl.SWCtl\ = "Shockwave ActiveX Control"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C9CDE9DF-EC36-4649-8D2A-05FEBDC77167}\TypeLib\ = "{014BE14D-FFF9-4BF4-826F-323BBFB3D975}"	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\196364DA12ACDBC43BBE2824661923A5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6EF568F4-D437-4466-AA63-A3645136D93E}\1.0\0	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F251AF8D-29B2-4D35-9BA0-FE224C2E85F2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Download.SwInstaller.1\ = "SwInstaller Class"	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0103A448-2934-4B3D-A54E-FED761D472E0}\LocalServer32	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6EF568F4-D437-4466-AA63-A3645136D93E}\1.0	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0AD42179-1A88-4C3C-932B-C73EB3EA4CA1}\TypeLib\Version = "1.0"	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1BE04D7-6B93-41BB-BA82-57715AF97013}\ProxyStubClsid32	SwDnld.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B367878-C7C3-4204-ADF5-B9E091E37336}\ = "ISwHelper"	SwHelper_1235205.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C43C21609E58D74B9C5F017D78D7262\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F3CB77D-D339-49e0-B8E4-FECD6D6F8CB8}\TypeLib	SwHelper_1235205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{644F7CB5-EE49-44FC-8587-FAA5EC7A2A3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{083BBEF3-E0FA-42C1-897B-2EFA642F6654}\TypeLib\ = "{014BE14D-FFF9-4BF4-826F-323BBFB3D975}"	SwDnld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{644F7CB5-EE49-44FC-8587-FAA5EC7A2A3E}\TypeLib\ = "{AC4C21AD-9194-416E-9D34-D6C1350F28F6}"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5167A27A-8594-44F4-86D3-D3946DB2200E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{083BBEF3-E0FA-42C1-897B-2EFA642F6654}	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\EnableFullPage\.dcr	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC4C21AD-9194-416E-9D34-D6C1350F28F6}\1.0\FLAGS\ = "0"	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SwBroker.SwHelper.1\CLSID	SwHelper_1235205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Download.SwInstallerAttributes.1\CLSID	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014BE14D-FFF9-4BF4-826F-323BBFB3D975}\1.0\FLAGS	SwDnld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{014BE14D-FFF9-4BF4-826F-323BBFB3D975}\1.0\HELPDIR	SwDnld.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2480	msiexec.exe
2480	msiexec.exe
1848	SwHelper_1235205.exe
1848	SwHelper_1235205.exe
1848	SwHelper_1235205.exe
1848	SwHelper_1235205.exe
1848	SwHelper_1235205.exe
1848	SwHelper_1235205.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe
Token: SeCreateGlobalPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2732	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	28
PID 1996 wrote to memory of 1848	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1848	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1848	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1848	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1032	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	31
PID 1996 wrote to memory of 1032	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	31
PID 1996 wrote to memory of 1032	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	31
PID 1996 wrote to memory of 1032	1996	8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d929122aba28ca23cb53c0a2f3d5859_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i "C:\Windows\SysWOW64\Adobe\Shockwave 12\swMSM.msi" /qn
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\Adobe\Shockwave 12\SwHelper_1235205.exe
  "C:\Windows\system32\Adobe\Shockwave 12\SwHelper_1235205.exe" /regserver
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Windows\SysWOW64\Adobe\Director\SwDnld.exe
  C:\Windows\system32\Adobe\Director\SwDnld.exe /regserver
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adobe\Shockwave 12\swMSM.msi

Filesize
2.0MB

MD5
25b47efbe9dcef40bb9760b6b7846b99

SHA1
0c9bf0fe2fb303f661cb9e422442200974f5ac28

SHA256
0bb631d810fdd00cafe5da937174a5df79ca4a4daa46a0e714c39a1ed06fec3a

SHA512
0707aa06ecfc5a4b8ac564e3556ccfc458a6a81cf652084be7917331b25c14e2607479212d67d65dd0bfac264cc8fcdda58c3c379ab86ec1bd2f5d309b2770ec

Download Submit
\Users\Admin\AppData\Local\Temp\nstF8D.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Windows\SysWOW64\Adobe\Director\SWDNLD.EXE

Filesize
150KB

MD5
1f29929c7d653b691d9003f9c531271e

SHA1
36fa927b980fefd51e9f4beb0700b0831b27483c

SHA256
ae9c8dee11b894a041fb8de707567e1bcab2eecb50b2aae912e7c5d43d919185

SHA512
eda4ae26ca7ee0bedfe41664dd333d542b51000675e71b7ff626f03f24a385e45f4dc98fed69ce0121a8ab046eab7a7caf2ed178bd551487d525119de76da044

Download Submit
\Windows\SysWOW64\Adobe\Director\SwDir_1235205.dll

Filesize
394KB

MD5
362adac40e323315dd5917dbbefcda71

SHA1
98d3511d7ce634683a0a973f11558df4cce7da05

SHA256
2f2a53d680162de293f53592451f9559876e19de25053180d430e6ec07b32fe9

SHA512
52e7628112ef53ebe58a5650d8923935febbec09416528786fcfbb44d431bc5252a1cfce8d843da641417ff924a8a2cfe07e172fc6f64657b7c0dda7c55d9a97

Download Submit
\Windows\SysWOW64\Adobe\Shockwave 12\SwHelper_1235205.exe

Filesize
1.3MB

MD5
a8508a1759cd36e437042bdc9e377575

SHA1
1667f5207ff2f266514981a7158378fa756fd7f6

SHA256
ac394a271655fd3df3c70a3adafc088d2e2600a426e1cc6c0787cde8025b745e

SHA512
e9724e336c6f70060ce9e27403adcadfeb49f0a25f158c59fb35532758b5e5ccfdc7895e3881f049301631b10b824255d5ca29492e2eed1655fbd6e210846a1e

Download Submit