Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
30262065334...18.exe
windows7-x64
70262065334...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ib.dll
windows7-x64
3$PLUGINSDI...ib.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$R0.dll
windows7-x64
1$R0.dll
windows10-2004-x64
1$R2/NSIS.L...2_.exe
windows7-x64
1$R2/NSIS.L...2_.exe
windows10-2004-x64
1$SYSDIR/DWSHK80.dll
windows7-x64
1$SYSDIR/DWSHK80.dll
windows10-2004-x64
1$SYSDIR/MSVBVM60.dll
windows7-x64
1$SYSDIR/MSVBVM60.dll
windows10-2004-x64
1$SYSDIR/VB6KO.dll
windows7-x64
1$SYSDIR/VB6KO.dll
windows10-2004-x64
1$SYSDIR/dwsbc80.dll
windows7-x64
1$SYSDIR/dwsbc80.dll
windows10-2004-x64
1$SYSDIR/dw...80.dll
windows7-x64
1$SYSDIR/dw...80.dll
windows10-2004-x64
1UrlUpdate.exe
windows7-x64
7UrlUpdate.exe
windows10-2004-x64
7efbbar.dll
windows7-x64
1efbbar.dll
windows10-2004-x64
1efsbar.dll
windows7-x64
1efsbar.dll
windows10-2004-x64
1iewindow.exe
windows7-x64
1iewindow.exe
windows10-2004-x64
1nnlogon.exe
windows7-x64
1nnlogon.exe
windows10-2004-x64
1Analysis
-
max time kernel
127s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 03:22
Static task
static1
Behavioral task
behavioral1
Sample
02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/TypeLib.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
$R0.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$R0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$R2/NSIS.Library.RegTool.v3.$_2_.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
$SYSDIR/DWSHK80.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
$SYSDIR/DWSHK80.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
$SYSDIR/MSVBVM60.dll
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$SYSDIR/MSVBVM60.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
$SYSDIR/VB6KO.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$SYSDIR/VB6KO.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
$SYSDIR/dwsbc80.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
$SYSDIR/dwsbc80.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$SYSDIR/dwshengine80.dll
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
$SYSDIR/dwshengine80.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
UrlUpdate.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
UrlUpdate.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
efbbar.dll
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
efbbar.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
efsbar.dll
Resource
win7-20240611-en
Behavioral task
behavioral28
Sample
efsbar.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
iewindow.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
iewindow.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
nnlogon.exe
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
nnlogon.exe
Resource
win10v2004-20240508-en
General
-
Target
02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
02620653340ad8d2a425b5e5f8af258f
-
SHA1
94f8d4cc9ec4615cfd4a790549e23870f7c8f7a8
-
SHA256
577a7ec9e58665b9b840ce9618e2d330c065dc9a7d7b2109f52e392b77e839c4
-
SHA512
cbf3d33fde12a9d2347550a4a462d1d604fea3b72ffc60ccd51234241b8f1f79ee7923c00b4c762204b473411f082726c2daa950736ada322b8f6baf4c9cb6d3
-
SSDEEP
24576:V2xjlqM8GzLDG8tTo2Rig30oPQ1xTufJLckEY/fudN9GQcCeIRLhlAB2lX:ErqYzGRoqChcC/fkGQwIRLhlKS
Malware Config
Signatures
-
Executes dropped EXE 7 IoCs
pid Process 2576 urld.exe 2460 nnlogon.exe 1880 nnlogon.exe 1532 UrlUpdate.exe 2700 urlupdate1.exe 1812 ntmurl.exe 1364 iewindow.exe -
Loads dropped DLL 37 IoCs
pid Process 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2576 urld.exe 2576 urld.exe 2576 urld.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 2460 nnlogon.exe 2460 nnlogon.exe 2460 nnlogon.exe 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 1880 nnlogon.exe 1532 UrlUpdate.exe 2700 urlupdate1.exe 2700 urlupdate1.exe 2700 urlupdate1.exe 1816 regsvr32.exe 1088 regsvr32.exe 1812 ntmurl.exe 1812 ntmurl.exe 1812 ntmurl.exe 1364 iewindow.exe 1364 iewindow.exe 1364 iewindow.exe 1364 iewindow.exe 1364 iewindow.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 5 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB} ntmurl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\NoExplorer ntmurl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452} ntmurl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452}\NoExplorer ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D815AB8A-E840-4054-B37D-943893116452} REG.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSVBVM60.DLL 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Windows\SysWOW64\DWSHK80.OCX 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat urlupdate1.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ntmurl.exe File created C:\Windows\SysWOW64\NSearcher.exe ntmurl.exe File opened for modification C:\Windows\SysWOW64\NSearcher.exe ntmurl.exe File created C:\Windows\SysWOW64\VB6KO.DLL 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Windows\SysWOW64\dwshengine80.dll 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Windows\SysWOW64\dwsbc80.OCX 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe -
Drops file in Program Files directory 39 IoCs
description ioc Process File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocode.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb ntmurl.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\tmp.mdb ntmurl.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\system.mdb iewindow.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.dll 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\sslaunch.log ntmurl.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\sslaunch.dll 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\uninst.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log nnlogon.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.log nnlogon.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb ntmurl.exe File created C:\Program Files\Netimo\NSearcher\NSearcher.exe ntmurl.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.ldb iewindow.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\tagstemp.mdb 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\nautoup.log UrlUpdate.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\system.mdb ntmurl.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg ntmurl.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmEnd.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\navigator.ico 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\efbbar.dll 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\efsbar.dll 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\autoup.ini urlupdate1.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.ldb ntmurl.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\bbuninstall.reg ntmurl.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhocfg.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.ini 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe UrlUpdate.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\nautoup.log urlupdate1.exe File created C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe UrlUpdate.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\bhoexe.log ntmurl.exe File opened for modification C:\Program Files (x86)\netimo\Common Shared\URLHelper\tags.mdb iewindow.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2064 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C} REG.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C} REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{72CEEE43-C350-4932-B3DC-B6201F01EFCB}" ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB} ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S) ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\ = "res://C:\\Program Files (x86)\\netimo\\Common Shared\\URLHelper\\ntmurl.dll/SEARCH.HTM" ntmurl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars REG.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Explorer Bars REG.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{6A294C45-07CC-426C-9512-6742053E462C}\BarSize = dc00000000000000 REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\URL = "http://search.netimo.net/ntmsearch.html?where=all&cp=ezsearch&adv=yahoo&type=forward&ssupply=1&q={searchTerms}" ntmurl.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main ntmurl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\DisplayName = "¾ßÈÄ" ntmurl.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{72CEEE43-C350-4932-B3DC-B6201F01EFCB}\Codepage = "949" ntmurl.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\ÀÌ ´Ü¾î °Ë»ö(&S)\contexts = "48" ntmurl.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98} urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\WpadDecision = "0" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ntmurl.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ntmurl.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ntmurl.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d ntmurl.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\c6-df-05-09-4f-2d ntmurl.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecisionReason = "1" ntmurl.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecisionTime = c012011cc1c2da01 ntmurl.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\WpadDecisionTime = c012011cc1c2da01 urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecision = "0" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ntmurl.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" urlupdate1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings urlupdate1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\c6-df-05-09-4f-2d urlupdate1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecisionTime = c012011cc1c2da01 urlupdate1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ntmurl.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecision = "0" ntmurl.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDetectedUrl ntmurl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\WpadDecisionReason = "1" urlupdate1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67314B91-988A-4349-90A5-084295B64C98}\WpadNetworkName = "Network 3" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ntmurl.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix urlupdate1.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad urlupdate1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0121000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-df-05-09-4f-2d\WpadDecisionReason = "1" urlupdate1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ntmurl.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ntmurl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ntmurl.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings urlupdate1.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ntmurl.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0121000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ntmurl.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ntmurl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F2-7697-11D1-A1E9-00A0C90F2731}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\Version = "6.0" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6968E7F-3422-4CB7-8F37-3951F4880511}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\efindersidebar.CHandler\Clsid\ = "{D815AB8A-E840-4054-B37D-943893116452}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6968E7F-3422-4CB7-8F37-3951F4880511}\InprocServer32\ThreadingModel = "Apartment" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{651520F0-B9D9-46CE-987F-C8697222B4B8}\Programmable 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5FC14064-8342-4D18-947E-3BD813100F99}\TypeLib\ = "{70CA7ADF-1545-4085-A81F-260C365C5EF2}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.IURLHelper regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F1-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Dwsbc80.DwsbcPropPage.1\ = "DwsbcPropPage Class" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FB96837-674C-407F-BBA0-CDC0D501512C}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E81505D-47A7-471B-B348-07BDA6159756}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ = "_CTimer" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0E9BF828-7362-4850-9FE7-59E26521AC34}\ = "_CSBCriteria" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C866B2C5-14CF-4908-8D11-7FA85FD63EC2}\InprocServer32\ = "C:\\Windows\\SysWow64\\DWSHK80.OCX" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F82DCAD1-72A9-4E4A-B034-1E12EEB5F53A}\ = "CSBCriterion" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E72183BD-2FD6-4FEC-A806-BB3DE07A5E35} 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36} 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110049}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8284B8A2-A8A8-11D1-A3D2-00A0C90AEA82}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.MsgList.1 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.MsgList.1\ = "MsgList PropertyPage" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15985491-68E2-49DD-9F73-BFC0DCAB8584}\InprocServer32 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5FC14064-8342-4D18-947E-3BD813100F99} 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F8A3508D-B8F0-4619-94D1-A85A54B9ABAE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FB96837-674C-407F-BBA0-CDC0D501512C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\ProxyStubClsid 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E43FD401-8715-11D1-98E7-00A0C9702442}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib\ = "{C6E6B197-9348-449E-A149-384B208874B1}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{044D0F63-C274-40B2-8F50-F09A06DCFBE1}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{70CA7ADF-1545-4085-A81F-260C365C5EF2}\8.0\FLAGS 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E9ECAA7A-3EAC-4F41-8375-84AC9D2AC3AF} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.GSubclass\ = "ntmURL.GSubclass" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ntmURL.GSubclass\Clsid 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{446F2D1F-88B2-4928-ADCD-7B23714C00AD}\MiscStatus 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B6251B70-4401-4A2B-A482-771D388734C3}\InprocServer32\ = "C:\\Windows\\SysWow64\\dwsbc80.OCX" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26893EEF-3781-4234-8D71-EF9C394156A3}\ = "_CSBCriterion" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6A294C45-07CC-426C-9512-6742053E462C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD8BFC7F-4A69-4C23-B496-78B301B5193F}\ = "__CTimer" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ = "_ErrObject" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dwshk80.MsgList\CurVer 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{149BD92F-B28E-4C04-8B4D-46CDD176B7E4}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C48E43A2-A7B7-4293-A13A-F4B29158A0BB}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C36516DD-9577-4347-B0DC-D3641BDBEB36}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29} 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{884DA533-61D6-43BD-AF00-BB3E961BFD29}\ = "ntmURL.CSideBar" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ = "DataObject" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dwSbc80.MsgList.1 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3F16DB30-C562-41AD-A3B3-4D405BBBEFEE}\TypeLib\Version = "415.4" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A625F501-206F-4713-9DE1-DD3AF4AC4BF9}\TypeLib\Version = "415.4" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B07FABA-099B-4D62-9780-D254A04E32F5} 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\TypeLib 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\ = "CSideBar" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA496C82-EF15-498A-9281-71C17D2E83B1}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\Version = "6.0" 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1880 nnlogon.exe 2700 urlupdate1.exe 2700 urlupdate1.exe 2700 urlupdate1.exe 2700 urlupdate1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 nnlogon.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2576 urld.exe 1532 UrlUpdate.exe 2700 urlupdate1.exe 1812 ntmurl.exe 1364 iewindow.exe 1364 iewindow.exe 1364 iewindow.exe 1364 iewindow.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2576 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 28 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2460 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 29 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 2212 wrote to memory of 2064 2212 02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe 31 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1880 wrote to memory of 1532 1880 nnlogon.exe 34 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 1532 wrote to memory of 2700 1532 UrlUpdate.exe 35 PID 2700 wrote to memory of 1812 2700 urlupdate1.exe 36 PID 2700 wrote to memory of 1812 2700 urlupdate1.exe 36 PID 2700 wrote to memory of 1812 2700 urlupdate1.exe 36 PID 2700 wrote to memory of 1812 2700 urlupdate1.exe 36 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1816 1812 ntmurl.exe 37 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 1088 1812 ntmurl.exe 38 PID 1812 wrote to memory of 2160 1812 ntmurl.exe 39 PID 1812 wrote to memory of 2160 1812 ntmurl.exe 39 PID 1812 wrote to memory of 2160 1812 ntmurl.exe 39 PID 1812 wrote to memory of 2160 1812 ntmurl.exe 39 PID 1812 wrote to memory of 1224 1812 ntmurl.exe 41 PID 1812 wrote to memory of 1224 1812 ntmurl.exe 41 PID 1812 wrote to memory of 1224 1812 ntmurl.exe 41 PID 1812 wrote to memory of 1224 1812 ntmurl.exe 41 PID 1812 wrote to memory of 1656 1812 ntmurl.exe 43 PID 1812 wrote to memory of 1656 1812 ntmurl.exe 43 PID 1812 wrote to memory of 1656 1812 ntmurl.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\02620653340ad8d2a425b5e5f8af258f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\urld.exe" http://search.netimo.net/gmtoolbar/log/m_install_counter.php?pcode=ezsearch&isinstall=12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe" -i2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2460
-
-
C:\Windows\SysWOW64\sc.exe"sc" start efinderservice2⤵
- Launches sc.exe
PID:2064
-
-
C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\nnlogon.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\UrlUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\urlupdate1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.exe" install scope addressbar4⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\netimo\Common Shared\URLHelper\ntmurl.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:1816
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\netimo\Common Shared\URLHelper\efsbar.dll"5⤵
- Loads dropped DLL
- Modifies registry class
PID:1088
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg"5⤵
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
PID:2160
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\sbinstall.reg"5⤵
- Modifies Internet Explorer settings
PID:1224
-
-
C:\Windows\SysWOW64\REG.exeREG IMPORT "C:\Program Files (x86)\netimo\Common Shared\URLHelper\bbuninstall.reg"5⤵PID:1656
-
-
C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe"C:\Program Files (x86)\netimo\Common Shared\URLHelper\iewindow.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5df4c70adfe3ee8e7d0a7d396754681ea
SHA186d6bc8e6961a01aa689909d678512e0e3bc202c
SHA25694a6a81ad5c12aec33d7274e43ed8197cd476bb9680724995631fd971e8a3d86
SHA51294e8fa6c92cbb30320b2067158549e6079be66489c4a2c8008ec7675d9135cddd477137b3c08fe7e7a41d2da6fcc3732d9ae10e8bc47226108938249fa33fa4e
-
Filesize
755B
MD5f82cc945d023cf65d884252c34e87c50
SHA1a08ce4b8cfc06d7f5c43c9156735b84b0a5a687f
SHA256c4cd6af1a5603a37a6bd63a0c3eed36b3f348688f783d5512ea40cbdcc18788b
SHA5128f88125981213df738282bd5da48446f9715264b888e8bc5fa6677120b2b8abf44ad5b5639fa7aa785a84d709a73ca00b8779ed97cd609d4db1883dbf8deab65
-
Filesize
755B
MD5648739c9101a1c11b1153b9209fd3132
SHA1f5f58cc445299cceaf3270f92db08b8159102e4b
SHA256e281556eaa532e57cadf88c7e618711b99025280b80e0aedfe8f47629ba00782
SHA512240a3c7429946648c633706678d07a1cf16637c1b293ea5671ff630865f7cfcb0ba445cc590db11e8c567be5302b802a06e5993528324abbeee7f0d9e30e6087
-
Filesize
442B
MD5d1b9ce8ba9d227e61b8200e837a791da
SHA15ae250f8c2191376d9a07d80c356cedf976a7575
SHA2563f0c9bf08a9cdcdb96c2401271dc2bf0316adc6d4b01dde12c0d9da32594690d
SHA512265d60be34fa0457e7a7073ccfacf7748b8bddf003589cc53e6e9f2d055a0b442fe21521b78d2e2321faeab7f401eeca7d7f32b3ba65c8d64fdaa521b243965c
-
Filesize
10KB
MD58eb1f202b12256dc732a17590d7d508e
SHA18b032c6f45112d2aa3e72bcdfbcbd00144418e54
SHA256d865151fc6bd08ae20c1252b197b658fc293a5183ec1f294a05d305c714070f5
SHA5123ef8dfae492a5dd2887e7ea2e41a879322cdce86f8ee97e3438a47164c39d11349559c18e8bb27017f6ede0c4c5c69dfe05bb870657468f2faa9431de105f7bd
-
Filesize
27B
MD590f148367abbd9f6304f2cf05b91a490
SHA1e63b00e3e7d337e26639205c25c1028426b3dbef
SHA256bb31532a370f3325aeb125720cd1f1cf3834a3d07e8dbf963f3bccb7649da7a0
SHA512e5cba1708ae8fabe42c4687f043e67354b45a06eca583e489f87228a33df1edaa311fcfdb1e44b8aa225f3ac1927f99eec39f89ae5623dc8eadb0bdd683a2a8d
-
Filesize
149KB
MD526eccc32791911ccdfe0aec05f733cf8
SHA1cf0ffd6ee73c6dcb7cd52f4a863b6a5e44c29cbd
SHA256b4f5d03f1649f2631e122dba48a18e3ee705d073ce5800bda90730d0ad6a35c1
SHA5126841d08827476416bdc8ee2a224c0f2aaa8827acc32a78e1ecd3fecd796fadc2fc4aaf78af11f9e14a6ffcbc70bf7205c482f34a36ec07d3cc412d45d62cdf35
-
Filesize
273B
MD5281deaa01673d9dccd3cd19c226ce8e4
SHA13034975e5acc8fc124e9919618e4be29c869947e
SHA25691ed182ce1290abd4cad092f4d372c69f19e15e66f5650c7b8904d16dd132e55
SHA51291df3d4b3e519bec88df4fb60486d75a3ede77ef6c2bf9fa6c1ae704640cd69197b41a7e733beb9059a7cf7c36bae718826062ff37e96e5fe9f4e8d6e441ebb9
-
Filesize
362B
MD53352808839a5d78e7ba644eee3baee26
SHA174e8e0558fac4fa9b4b6edb4cd965c3a48611493
SHA256b5f551b88b1c76f9b54ccec5f3c19e4f91ea1705320dccbcb1f75d5a9c5cc9b9
SHA512c3ac39b6b4feccb4da905cf79c40e00d332fcb420759d089eba13baa13fa6e70569e2ad24656648523557b8c5542cdef57ac71d18a5d233899b34b6c8d9bca93
-
Filesize
990B
MD587f6a3cf5b4d8991170215f3a9adefd5
SHA1c7f65e9991ed6ffdc7ddf941e6cd615789a1d42a
SHA256d764f04b4ac9b03db8a689e5efa7dffa3ae057070a553e03406eea1753e9a457
SHA5121d89eb79a5bdfbfad347a58b423a88cadddb1ecd2df896c49710bf77056b0d6456d6d81bab3e971ea9b4dec786d56480610c49eeb780492db48e9a625a4fefd9
-
Filesize
353B
MD5ab080d6bc38d3d9cab6560ed747ca2e9
SHA17e45199e3faba50c99ea2064a35eb65374797f37
SHA256e5255dd862b8023bdd148ac70caf375e875f7b650c94555fa49f9598d2517d50
SHA512cf997fefa7119c5b65695d11ce2c4c15ff8bbf1db823db6a6ddc0e12a9409687818b07e941a89af3efd45e2e3bf438e79e0ff9670f02b94fb24b97e8c3592238
-
Filesize
830B
MD599efeac3859992432d0973cbac6e9b30
SHA16f987006f2fe72031084bb86e18ed2f7ba4807e6
SHA256a89c9dcc2775d7b98f177fd55c553e5b00d1800a59322e1e1e854a79620868ae
SHA51242c441aade296c8acce5d424b919e14476d0da84a552dba118c7487415540020687fe290849214dc8067fdbc35a7a6002cd687faf048d7d2e495fd476b3788e3
-
Filesize
324B
MD5058f2758bb8063271a5c5c6257ea9cd2
SHA16928513ee55a2a32871c08f1a3aa890c6147b074
SHA2562e58e8a351d814537317d27c339272ec69e611daa63c7df80a3dc8666096fc98
SHA5120bc4a847b8aaf00f596ef97a9942882a224397b5af52628417695724d4b9dec07547f48003c902493e71832c1622305736d7119e5a278822ab55cfccef1df1a7
-
Filesize
60KB
MD5412706c54d6ed78c5cd624dc55ef293f
SHA1a4edb4fe218916ed2294458e7829ed608d6eb4f0
SHA256572b99582027ac31ea036ddb8066bb4118e7c44ab98125a35f863cc710a4ebcf
SHA5121e8fb64759f17223f93260ce27d6e877ff8f704391703457e52925582d88b1b094f824708157aa336291cefff478041986a223ee5ffc03af1b6c9563512bc6c2
-
Filesize
232KB
MD53ac1ce53d6450a4aa9683ae8eab5ac24
SHA14545172c62a377517f34854a75da48c1810fd0e7
SHA2566235600b6b2d2dfb892a7b746f5dfaab8dc824cb603f4006fc860dff7cfb6514
SHA512135853d29d2ce1f5bb676dfe7677f91e118b1dec580ee859c90199d6171dc055bcffc8b82edc836d71f6088eea21848c57721e2879a1e93add4016d5b31c39a0
-
Filesize
184KB
MD5499943ab2d6a704f9d7dbb8ec1aeed61
SHA1f98e08c95e7229e3e32d587e061c8548e0e4d411
SHA256504890d04367979ba23222b15892df6b75f140fde436219bb4d49ac5e949597a
SHA512c4c7d8ec105fc77e6e109fb1e6aed317a41b794b2c87d55d84e23e74fb4fca546f8e95b590fdedbfbd3295f0ee08bb6cca2f8979022ced29e62a6851f26b2d3d
-
Filesize
99KB
MD584742b5754690ed667372be561cf518d
SHA1ef97aa43f804f447498568fc33704800b91a7381
SHA25652b64e2bfc9ee0b807f2095726ace9e911bcd907054ac15686a4e7d2fd4dc751
SHA51272ac19a3665a01519dac2ad43eb6178a66ad7f4e167f2a882cbca242978f8debe3e15d0e210c3b0391590699999f33a1fd5de4ca6559ff894b4e6cb4ac1415a0
-
Filesize
160B
MD5a3f15fb605bd7885c66a4181e4b9e661
SHA16c1f8c5286f1d6bc33754ad2b96b92861e39c956
SHA25679f16ef1a13262e965d6490902a74dee9d9818dde39c6c3ef159443816e2e8a5
SHA5129c0302647a03d5e0be2b0cec4e585f9ae714d971d55057e28eeada0ce3011f19c4de555d7e204e815988a908d49fb2e5b4bac2d662cd7c7bf3219da9ec9c7a51
-
Filesize
405KB
MD5c586e5bf4514ad24b6a0002e13d6452b
SHA16d22ea2e2ae087864c0f91a602cf5b588c54126e
SHA256813be8eb3e53948faa20f051023fa132fd564e977c7932d130f5ea7a19c0d5dd
SHA512a917390bda68c91f82764eb93ea5d9ce9d330fda9fe24b6956ee16312f342bf4213e0c8f737d83feb8bbf70f82df41d2c7720d4cbaa92982a9584987ea2327e1
-
Filesize
68KB
MD54f8ec9279ce71a9feafd811a2a0fe8fc
SHA18c5e103eeb3dec74297b41739a28eb0c1b4d0478
SHA2568a730e05ec59ca9c2bea7b950b7178c5174da28d0843ba1f3f10b47e352b219d
SHA51261c0b531b0530afba51138bc8d876a715e059fa716652b9155bead099c1e6dea9a972f219bc593d6e0ef4d7bc849a9108cb6cd99eb72e61d8d0f45e3199908c9
-
Filesize
173KB
MD5ed9849f48772d4ec5e908d734c00c961
SHA1b0a0f33eceefcdc18da32a67297637610fe9054c
SHA2568899425303feb63b583a562189f50458d16c805f1d363a61fdee0444833ab644
SHA5123ce061c449c6379fa0f7178280b69aea3ebeb97fec24eb54984fc78f1fd1d8fa66be8a3347a07982bfae566feb93b28da662061cee8ddee5cfa6f34811ae3190
-
Filesize
221KB
MD54776b67e6c7f6bcd3d713b84fbe08f65
SHA1a42a88fd3510b160f3ced8434b524281cb99f6d6
SHA2561bedf458f12e8cb8347197fe992661532c2bb5d517065c3f2c5bf000483a1bf1
SHA5129e0aa04c87e8b5d79c90b4821c0ab8dad2821ecfe40a72c2a93046873841af86e5d78f3759fec5ce329c68c2d3bb77f049a8249685a0594ef541a07a2182cbb5
-
Filesize
24KB
MD57976109acc6cdb26f4a547d8c6dfd883
SHA1a44f84119c307ff84c2af9e36e4c997c9477eacc
SHA256c9d815568b137badd66801375fa45a84059b54091e6b41736168d5e8ff014924
SHA51257a906fc649c13dab773c2f09d5945b2b56a3a26a8df2c922fa120175b7115076dda11b9367101e3853758be478b61bdfd46457735522e73f68ae7a5de39833f
-
Filesize
3KB
MD556abaa41368ddf53d01421760f9d72f4
SHA168a4e41d46366e8116bdfeba34d94b628fc6fb45
SHA25675c206fba2ec5d344ca514e6451d8892f939f15e8afc1c132bbc9eca886ed1de
SHA51298aaee865ee756f6193fb89f35aaf019953c597f92f0e6d3f4a8ead27d5c09f8ac9d39b547a655f2eb4ce6b8867b4e12a20f43749bce3bc2a5f7e668378649d9
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
200KB
MD5956041a95acf9738b712c71c55672094
SHA184959e2c0b07d631de4f71da32e1c3c301285e68
SHA2568413fe7000baca9e7a2fdef33922d17d97ef9d16799444b945b3c73fee953c6b
SHA512c93085f6e4159e3a75e9167e036214930a3ec3960d5eb3e0812f164a841f60b1c3454bcc7a2227b7d0e80c303db11d322a1e6862d643a614c32e4d6b1798b298
-
Filesize
167KB
MD5456b24a38b8e2d2f3303e0b4d05cc929
SHA13c981bbac31706cc9189605959f9eba7acbb17a7
SHA256242934d4d92948817dd00eec4e8592f7044f5bfc7b2ad2603c826c5cea7b09e5
SHA5124476f50a9ade47c848f882b56758111d39a79e61ac62cebf09c8b8d7baaaa77767c11da6e6732caa383b372d0d8a49be116e111299f637e2ea722fa5fd978385
-
Filesize
137KB
MD5df901a23e6da0cad1981f0a7c13fbf24
SHA178f8f8e857e5ce4dce9fdc6658b5780b07167df7
SHA256a8ab488c1ffeed943a68ce7f72fa2eb1b9b21b62c01fbd405a93906a4b357621
SHA5121d530caccd728006b1c169a9684044b45384ff4caca02f95c26e15339c4bcfad00f70a85b9f3b6d6d84aed242536ecea454636688e33fa6c6558f67378fc8228