Analysis
-
max time kernel
133s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 07:01
Behavioral task
behavioral1
Sample
03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe
-
Size
47KB
-
MD5
03da88767a246e825382e9965bc2cad4
-
SHA1
df91b915d2192bd0eb76a517c45a4cee87f28443
-
SHA256
77b6690fb7a6c9940f05a677e863e1488bf170e309fdc708d5ab486754f8a2fc
-
SHA512
830b07e31a52b18f0fabb4af28578909c61f209d9ddea2bf61954eba7a5af3ada487e1570e1adc7713af9e3a412ce03ecd1adce309a4083d3df326929ce82d3f
-
SSDEEP
768:AgNDHRi9jlJO+7WTCm5MqTZ53tnhiuhEP809eX2A1puPW7MEyhdECP1UcfbJub:AgN7Ri9bYzbzbiuhEL9KjuewJx1fQb
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2140 regsvr32.exe -
Processes:
resource yara_rule behavioral1/memory/2368-1-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2368-15-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A2F253AD-1F23-4D87-A64B-D6987F38D981} regsvr32.exe -
Drops file in System32 directory 4 IoCs
Processes:
03da88767a246e825382e9965bc2cad4_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\gopfa.dll 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe File created C:\Windows\SysWOW64\c.ico 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe File created C:\Windows\SysWOW64\m.ico 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe File created C:\Windows\SysWOW64\s.ico 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F70A54D1-2ED2-11EF-8B04-EAF6CDD7B231} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000293d2a592ff8e98e95084b7121acad7f2473c52f735aa8c73db6beb1acc65a60000000000e8000000002000020000000320059cb7fbc2f7e75223b2b0f8aaa8a05a5d0dde8b0a56ac203b704d9fac850200000007ffa6d01f567c939f10dc36d9b5725983e731e3488d20099e4024929ccb8379e4000000041f5eafd1ddde030bfea3b7934fad14cd8f854280d79aab5a574d0e5072d59493ab9f9188d9a34445514b59440705ae7eec2d43425124fcdedf411a06693a3bf iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04a8bcbdfc2da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425028776" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000fac1a16343a202972515b9aa0d1ed291b570345b533b53827347948eb597ee28000000000e800000000200002000000035deff1615119708c31eed08159b5759e3c1b4f8bfccca5c9b0db3b204574e4190000000789f544f9e9b804c8272b2241b954e38d8464a38150c4cce9e7d15ccc8f2fb1dc456705721f93d47d239987285ac72387d9a9ff12fa89dfdfc8590fa508e4b751eea87d4a127b7742bef6c4c9dde29b2bf35a357e67cc384a3fc6dbae9c575684d0a8a827c6f825b8bfa58fc64ff8882827d542645e6b27719450847663a5e98f2ed34dbb7df7910f2ece12d67752c2d40000000dbdc8922b83fc444211328e04f219364dc73ee3b12de3b8082ca730b51a49781150fc07029dc1702013367efa979e736566d3714e68f9efc9793cabb45441696 iexplore.exe -
Modifies registry class 60 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Poals\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\VersionIndependentProgID\ = "pnphon.Bho" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\ = "Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ = "_IBhoEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ = "IBho" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ = "_IBhoEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Poals\CLSID\ = "{A2F253AD-1F23-4D87-A64B-D6987F38D981}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\gopfa.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Poals regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\ = "Phonomia" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\InprocServer32\ = "C:\\Windows\\SysWow64\\gopfa.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Poals\ = "Phonomia" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho\CLSID\ = "{A2F253AD-1F23-4D87-A64B-D6987F38D981}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\ProgID\ = "Poals" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho\ = "Phonomia" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnphon.Bho\CurVer\ = "Poals" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F253AD-1F23-4D87-A64B-D6987F38D981}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB3DB4D7-B8F4-4097-80A6-A2E93D08C92D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5E58DFE1-D27C-4CF0-BFEF-539A63C0BECE}\ = "IBho" regsvr32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2416 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2416 iexplore.exe 2416 iexplore.exe 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
03da88767a246e825382e9965bc2cad4_JaffaCakes118.exeiexplore.exedescription pid process target process PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2140 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe regsvr32.exe PID 2368 wrote to memory of 2416 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe iexplore.exe PID 2368 wrote to memory of 2416 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe iexplore.exe PID 2368 wrote to memory of 2416 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe iexplore.exe PID 2368 wrote to memory of 2416 2368 03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe iexplore.exe PID 2416 wrote to memory of 2472 2416 iexplore.exe IEXPLORE.EXE PID 2416 wrote to memory of 2472 2416 iexplore.exe IEXPLORE.EXE PID 2416 wrote to memory of 2472 2416 iexplore.exe IEXPLORE.EXE PID 2416 wrote to memory of 2472 2416 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03da88767a246e825382e9965bc2cad4_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\gopfa.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2140 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://megauplinkbindinstaller.com/bind2.php?id=39133052⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b4ecd349d0b5ac73f3e2f96d88317ad4
SHA14221aeebe34f71c869bb22d976b2dbca0aa48dd5
SHA256e7944b2ce72c5e13e7d8e04560dde7256ac1472ba52393f607e36db6399674a4
SHA512a473ab43681760f166959d4bd078a74f7dcd7d20c8e73c1102da7f34ab1b5e1dee70db764bba9f5dcff143b2a82ccd21dfb62fe7fbb5d286ba58062b9a214560
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58c0ea4bdac0e777b3fa41f6d87f5edc6
SHA122a257eb5c5ece06892f227732d5407ffa7f3525
SHA25688f0283914aa381a060d721b7899b6e23b5dd9e6457ab26f8b2786b3a2d75a19
SHA512ec99590d08290cd92f3cb54dead872aec29f5e8afb5bf2a129d4d2240b47d09f969b1c42bbfe5234d22236951ae748347c8296de53c52d31a0b9f31430dab8fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5364055ec4b55158110f7aafa908a4b48
SHA1ab74e16809707d07cf49da07211b7043d737e776
SHA2566ddc5f421c47dc72dd301f3e392bd5ed809644a1c443f80379bbbb51ca271377
SHA51253d1f9a8e445d996fb3f81297b9c29113d9595267f83df4ab2f16b79c2963bd78274678ffdfb965957eff9468b648b6169a3ea2a18c7bf1adc66cc88a3371748
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3c1e989c4b8f13d6b8e8dc4fa43b5e1
SHA12d22b96d14b41feafd3e39a53458bfe49e210965
SHA256bcd74d20a97c1eb0fc7520f78d4415c29ffb4b3f203c543a3805bc93c0b4e63c
SHA51288aab11277667b563aa46b5c52338b40d72a5be28deb54f0403c3c2dca3b4319d9af5b18eea477ebcc8cec228ee2a9b84aa15f95c3e406662ec52aa28513e50a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5197d71e05b2bd3d513e0ba0009a06a05
SHA180532f440ef6f87456c8c799c2469383dd25e732
SHA256c34e3a1b81fd042181824a93ad00f8b106ef86f8ef29d16d7c02b6b6b2fc2d72
SHA51238e1b553618c4f81d686c58134f0a5fab0e5fda2e7d7c44c180196ef6eefd438e2a5282c2cf9e49a3fd54944d7ccd706551feea3886dc62392c51c6a85f015ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d4eb2e87921e7a291996d3b81b9ebfb
SHA16e19897a94eb29d1bf0c702128e67fa9089e7f1c
SHA256c613358f0b3a79348cb8ec22378ef85d789872b4d9d8a2df791fa628f3ca785e
SHA5120dfb3eb1403d10d8363221ff23e855dede0a567fecfde5a54c5f593294dbf13f74625ea8806980096641a90a481d068fbfa4946de2c4a51034abac3b67e3052c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD519c7f62a1f579740a69e0d206b2f3dc8
SHA1e283658a823635b1af1b4ffe24512b2ac533253c
SHA2566143df44881b41f0f7df44103e4a0aece2b7b9018bd2bcba8a503c80296733ad
SHA5127c8f5351c26598fdf387eb2e78be3767dd2e2a5ffa1306b9523ac356f0e04b3ca31a35dfa27a55b343ff367f1d25063038bf5e71d5028f516a653668dfa6cd7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56269e51a46c7b7bf164dd8b97c9619cc
SHA1ba81da30c3ec38723eeb9ee59e4134833490a580
SHA256c56b2c34ee2a12be8884747a113be173e77c1ac2f38daaf67f4d2100a26c21e2
SHA51250ad7d1ea0d46ef598046b08e30abe02a3c93e3d35d2f8623b12b48c61f47caa3919842fbbb467584a62e08f46cbc41ed58740a0fdfad27d323661978fcbefb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cc819d8e00e13922e7c69494a7eed49
SHA1902ef157af352924b5421359f5088dadf2c6de9c
SHA256b28cc2bc87cb319c06486716fc53e7c10862e721fa6523fe3f9d9501ee4bf23e
SHA51283b52ec5ebee731d7e75b640153bc19347b659d47640040b2458736225a35809679c84394ab707c16063dfc4cc17928515c30123dba7097d95d3fd7a5101b2ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a33fe3ad04cf6123260bcc9043eac13
SHA17e950204fba5ca0e7f174b2fc832f51b86350aa9
SHA25653238f7b9cc6922af67d4b5d6e4417719928e73444182355e4c5d20faace4625
SHA5126fe2f9a321208a98645233f72da457dde75e9ebf9494bf185f48341b0eb97945dc095277695744ae3d85338808e10d44ab32234b08278cd04d024f25446c9067
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD553c3a6cfb0dd5af84affa8cecbee667e
SHA145608ad512024b5c436e8a90839b89ae62ba1dae
SHA256cd4d48b1b5d4f56596a6a5fdc746932430cca2ff79f3e70bf5320821a225ec61
SHA51239345612f18e948ef7bd9dd4b369c12a8885ce14353770e78c140590acb903fa566cc99ede9a82b9f5b3b38d08dc89e670908cee3406b789015e5e3423f01cd9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed4ffff5b260f57b07535f671ec43bec
SHA14cdb30b8a7343f39bf37accef7f53378bce531b6
SHA256f27c101ddeaaaa1da992e21728420ffb3c049f4ecf1e0d2552f2511a92c7a272
SHA512d0d714626c5bbac74c7a9b86bc0528e926d4658c2ed62e5dbbafd58f31cb596cb4cd8030a448d7b732c5e5aabaf029ba0e5df70682f5ecd12ce0f2d8328217f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b77f90be4bd55f9169fac26844a6de4c
SHA11f80ea5346afc0910dd36a8adb30777accd0f70c
SHA256604530aa024dea928d017cbf53345c8c600a769d872d4f9abbcb19d83db88601
SHA51226c4393f06540465dd642a0545f4f91b93413c7fc7d840b0fc1ba1691feb35c6dbc15690b574e9d6cb64bac1e0969a99b35a0d76489310837de09de6b4733cbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59947dff1a104efe318aadd9d33c416b8
SHA1772020fa8adc339887630dcc8992c519befb7900
SHA25645a933700629459ca54d37562baace4d4fc2852b42477a6820dabd77a6e9a639
SHA512ddb5bce105d7647b81b232045ddc16ce71949f996959c573b5b74447d54c199875b69fa0afc10ef37cb260668ee84ec7da5d90f6856c0a950ee5dfe1fa27ecb9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bb92fd88e8235a040708673820f015e
SHA167826c0600e67537a38b1e24e8da409e79270166
SHA256f32de6e71787d3dc95c9416ce47db3b7ae5d3d535515d1363fd143fb440e534c
SHA5128e14f1b58644df9b9ab7559ac094b91ae38c38580cbce91a54485f5e95dd74d1fc316d6d4b9f00369ab6379be14f6236bdafb95ac0ff5a94b09983bcb563f0cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fc2607c403c9386c36dea9ab9a737580
SHA16c8e75410c3662d017518e68003778b69a27669b
SHA2563a3692a00888675a7041fd311a666da0589e62f16597d8d9aab188a75ddf5fe7
SHA5128cc93eec0a602778db59e095925407947f63aeaba4b67163ab11d37d3580941e76b1159dfdac03232730958cd25ae815fa32a29c234f9c0a7365d0bb02f7dd97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588eb33c1aefddf2d28564d0adf251c9a
SHA1de720a29b4487c33d8abe08da811954ef17b46db
SHA2569fc1fb80eb2779b7b27f95d528485011d4ca0b01d3a99dff40067d4085453f69
SHA512b7ae67cb4a7adc470326528ac3f2d0f68eca24df8a581987ecb8b3ec6072ecdaff70f166a2e0d0a3da4c981e60d5a11dea2a2ec3bd504c34c24d657b31e475ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f87cba1feb8b1f728ce3da5b31675226
SHA1a59e91ce68dfc955d7064cd4b67677789190a982
SHA256ccc53db5a2af70338f08f2ad19a411a6dfbe8efceeac4b2efc9b36ebabade463
SHA512fa31f30d0f2ac28ad6917a3f75ca31cc55afcba0110de25f225d0d0ab6b55669442f1def3a5f32df88787ad6c5a727e1dd587b22b401a8811ddef97bd1b7315d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
72KB
MD5f521eb81607412c970b7fda5d853c0bc
SHA1c4e3928b49679d4b5faf52bb37de044c1eb329fa
SHA256e461a4281c1b0e8b74a2199fd9e34e9c8aa8f344d5df616307570dd758383832
SHA512e2de6c2b00136a3e813df48198b355d336c49fc715dfe12c39502046abae56a1c66924d8d7b0d40df27074c18acd8d361771e9eaad098b15d830b7a7fee90150