15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd

General

Target

90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe
Size

1.3MB
MD5

90039c975ddc2e891b50aae18bed6a65
SHA1

095b1924543b08db76857bd95f06ce919eaf2236
SHA256

15a701b7671bcee70aa12b57edaf4f78849576699c35095febc658c28fcb2cfd
SHA512

2d3b1bdffc050f657527eb39eade9093c2829a7d4189f89dada98a68f149bfc173ca13ee9686632a8905327da2cccf7b34d51c586f3637817c7e0a709d94c8f9
SSDEEP

24576:L+pUFy+woYqqMK5mmczq36wUCQdjqfo13knOblF32bwHv/QMnSzLCvMqWj+QB:L+5oYtBmZzsBUCQZyo17bltbbSfw8+u

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kBYeWZe3g.exe

pid process

4644 kBYeWZe3g.exe
Loads dropped DLL 3 IoCs

Processes:

kBYeWZe3g.exeregsvr32.exeregsvr32.exe

pid process

4644 kBYeWZe3g.exe
4736 regsvr32.exe
3336 regsvr32.exe

pid	process
4644	kBYeWZe3g.exe

pid	process
4644	kBYeWZe3g.exe
4736	regsvr32.exe
3336	regsvr32.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exekBYeWZe3g.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	kBYeWZe3g.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	kBYeWZe3g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ = "surf and! keep"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

kBYeWZe3g.exe

description	ioc	process
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	kBYeWZe3g.exe
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dat	kBYeWZe3g.exe
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	kBYeWZe3g.exe
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll	kBYeWZe3g.exe
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	kBYeWZe3g.exe
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.dll	kBYeWZe3g.exe
File created	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	kBYeWZe3g.exe
File opened for modification	C:\Program Files (x86)\surf and! keep\gpRPB9z4.tlb	kBYeWZe3g.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

kBYeWZe3g.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	kBYeWZe3g.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	kBYeWZe3g.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe

Modifies registry class 64 IoCs

Processes:

kBYeWZe3g.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\ = "surf and! keep"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kBYeWZe3g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.suRf	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\CLSID\ = "{4B2F58B2-6359-4479-152C-CFDD59D18E15}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19	kBYeWZe3g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep.2.19\ = "surf and! keep"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CurVer\ = "suRf anD keep.2.19"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.dll"	kBYeWZe3g.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Implemented Categories	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\surf and! keep\\gpRPB9z4.tlb"	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\ProgID\ = "suRf anD keep.2.19"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keep\CLSID	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	kBYeWZe3g.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\VersionIndependentProgID\ = "suRf anD keep"	kBYeWZe3g.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15}\Programmable	kBYeWZe3g.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exekBYeWZe3g.exeregsvr32.exe

description	pid	process	target process
PID 2548 wrote to memory of 4644	2548	90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	kBYeWZe3g.exe
PID 2548 wrote to memory of 4644	2548	90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	kBYeWZe3g.exe
PID 2548 wrote to memory of 4644	2548	90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe	kBYeWZe3g.exe
PID 4644 wrote to memory of 4736	4644	kBYeWZe3g.exe	regsvr32.exe
PID 4644 wrote to memory of 4736	4644	kBYeWZe3g.exe	regsvr32.exe
PID 4644 wrote to memory of 4736	4644	kBYeWZe3g.exe	regsvr32.exe
PID 4736 wrote to memory of 3336	4736	regsvr32.exe	regsvr32.exe
PID 4736 wrote to memory of 3336	4736	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

kBYeWZe3g.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B2F58B2-6359-4479-152C-CFDD59D18E15} = "1"	kBYeWZe3g.exe

C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90039c975ddc2e891b50aae18bed6a65_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
"C:\Users\Admin\AppData\Local\Temp/00294823/kBYeWZe3g.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4644

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\surf and! keep\gpRPB9z4.x64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.dll
Filesize
363KB

MD5
9afeb7fa65aa31c6b871237d14a8fb94

SHA1
58f99ae9ea22f56f28b6c5fa798bda3109f297f6

SHA256
4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a

SHA512
311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.tlb
Filesize
3KB

MD5
9f260bfcd1ef83627ceb2792ee3324f5

SHA1
078164529ae639e5ff9cf0e4003a82259c2aace8

SHA256
8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526

SHA512
3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gpRPB9z4.x64.dll
Filesize
398KB

MD5
410bb7e2c88f92de31b83a173e173e2d

SHA1
ff40233a038f80b7b1513431d6a9632e8f0e39f0

SHA256
afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3

SHA512
d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.dat
Filesize
3KB

MD5
99df1dab85dd4b568804cf7123ecef54

SHA1
199ab77160bb3030b6ff57517b5cf318b1831cc9

SHA256
9838a34f6f10b8af37ac6d2eea2ff82ecc108c44e509a9e5e5bc2ff954455890

SHA512
31c835824b6f5639d49c26635e7e084616512b242c17ea8415644e3a7ec3419c2787c979a0b601e4ffe6f3f30a6d7a09b462d9c6f337c8b0aaa64432c4d693ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\kBYeWZe3g.exe
Filesize
356KB

MD5
6223a19e77e3b9b4f633e8863ee1cf40

SHA1
ee5ec9cffb59790d553f5a3394ad5808e1e37446

SHA256
d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46

SHA512
66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads