10bf49ec7e5c4b92fec447e9e7362e89900fb3d8542c9bffc72ffbe4d5a4cdec

General

Target

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Size

1.2MB
MD5

bb76ed7540a0dec49577ed89042c9b39
SHA1

56293d57896df8752c92c033ae7c16d3891a97a1
SHA256

10bf49ec7e5c4b92fec447e9e7362e89900fb3d8542c9bffc72ffbe4d5a4cdec
SHA512

9f1be1865716e257ff461f0eabc78a5853064c9e7a3f2aa371e9cc6d829aa6ff2c114c248e96edcb0e12c525df12c72ab1d9911b7d14ecb5c2d4fd7cf5aa4a15
SSDEEP

24576:QGOQLjoogapm6uhrPoRYyKVk21hmKSKcj0yWO:nlLmac3oOfRmKpYhd

Score

7^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

Modifies registry class 39 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version\ = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\Version = "1.0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ = "TinyJSObject Class"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ServerExecutable = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ = "ITinyJSObject"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\ = "JSIELib"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib\ = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib\ = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS\ = "0"	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 756 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid process

756 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid process

756 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid process

756 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
756 bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	756	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid	process
756	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid	process
756	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

pid	process
756	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
756	bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb76ed7540a0dec49577ed89042c9b39_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-0-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-4-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-5-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-3-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-2-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-1-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-8-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-9-0x0000000002D90000-0x0000000002EBA000-memory.dmp

Filesize
1.2MB

Download
memory/756-16-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-21-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download
memory/756-24-0x0000000000360000-0x0000000000497000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads