Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe
-
Size
530KB
-
MD5
0237f17f99d9ebe657b2542897a64c19
-
SHA1
a19e78c85ee53614a1ff6b640a42389db27e9e29
-
SHA256
e8a2cc4cc538c9c382d6978293101d3788728532666dad5e5f6eaf5e0313ef96
-
SHA512
52796cf6b12c050695158060ce58b3bedbadc3568295b84b3a3f7be1fff79779a69869882bcd939a2ebab52f974cf579a686a97a7aa07b42885bc43d30000c33
-
SSDEEP
12288:oSOT2JTqD9G6+gO9psKeeZYVy3h2ijdmmsjWMXDnN9:oSOrZETsZeZYVyR2zjWeLP
Malware Config
Signatures
-
Executes dropped EXE 19 IoCs
pid Process 2736 cb8034_ICMEDIAX.exe 2008 nls8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 1332 cashback.exe 1864 nls.exe 900 bargains.exe 1580 exdl2.exe 1688 exdl3.exe 1524 exdl1.exe 2772 autoheal.exe 2560 angelex.exe 2608 instsrv.exe 2636 msexreg.exe 2472 msexreg.exe 2944 msexreg.exe 1492 msexreg.exe 2540 msexreg.exe 2724 msexreg.exe 1952 msexreg.exe -
Loads dropped DLL 57 IoCs
pid Process 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 2692 regsvr32.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 2364 regsvr32.exe 1520 regsvr32.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1332 cashback.exe 1332 cashback.exe 1332 cashback.exe 1864 nls.exe 1864 nls.exe 1864 nls.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 900 bargains.exe 900 bargains.exe 900 bargains.exe 1864 nls.exe 1864 nls.exe 1332 cashback.exe 1580 exdl2.exe 1580 exdl2.exe 1580 exdl2.exe 1332 cashback.exe 1688 exdl3.exe 1688 exdl3.exe 1688 exdl3.exe 900 bargains.exe 900 bargains.exe 1524 exdl1.exe 1524 exdl1.exe 1524 exdl1.exe 2772 autoheal.exe 2772 autoheal.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe 2560 angelex.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CashBack = "C:\\Program Files (x86)\\CashBack\\bin\\cashback.exe" cb8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NaviSearch = "C:\\Program Files (x86)\\NaviSearch\\bin\\nls.exe" nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BullsEye Network = "C:\\Program Files (x86)\\BullsEye Network\\bin\\bargains.exe" adp8034_ICMEDIAX.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 18 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE188402-6EE7-4022-8868-AB25173A3E14} regsvr32.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File created C:\Windows\SysWOW64\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\vx1x.nls msexreg.exe File created C:\Windows\SysWOW64\vx3x.nls msexreg.exe File created C:\Windows\SysWOW64\vx0.nls msexreg.exe File created C:\Windows\SysWOW64\netut80ex.vxd angelex.exe File created C:\Windows\SysWOW64\exdl3.exe cashback.exe File opened for modification C:\Windows\SysWOW64\exdl1.exe bargains.exe File created C:\Windows\System32\javexulm.vxd 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\System32\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\System32\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\instsrv.exe autoheal.exe File created C:\Windows\SysWOW64\msexreg.exe autoheal.exe File created C:\Windows\SysWOW64\mac80ex.idf angelex.exe File created C:\Windows\SysWOW64\psis80ex.ax angelex.exe File created C:\Windows\System32\mqexdlm.srg 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\exdl2.exe nls.exe File opened for modification C:\Windows\SysWOW64\exdl3.exe cashback.exe File created C:\Windows\SysWOW64\instsrv.exe autoheal.exe File created C:\Windows\SysWOW64\exdl2.exe nls.exe File opened for modification C:\Windows\SysWOW64\angelex.exe autoheal.exe File opened for modification C:\Windows\SysWOW64\msexreg.exe autoheal.exe File created C:\Windows\SysWOW64\vx1.nls msexreg.exe File created C:\Windows\System32\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\exdl1.exe bargains.exe File created C:\Windows\SysWOW64\vx2.nls msexreg.exe File created C:\Windows\SysWOW64\vx3.nls msexreg.exe File created C:\Windows\System32\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\System32\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\SysWOW64\vx2x.nls msexreg.exe File created C:\Windows\SysWOW64\angelex.exe autoheal.exe File created C:\Windows\SysWOW64\javex80.vxd angelex.exe -
Drops file in Program Files directory 51 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\NaviSearch\nvms.dll nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\ad-nls.dat nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\bargains.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\adx.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\flash.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\logo.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\cb.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\adx.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\template.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\t1719060915.dec bargains.exe File opened for modification C:\Program Files (x86)\CashBack\bb_auto_wider.swf cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\icon.gif cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\BullsEye Network\adv.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\template2.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\bin\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\icon.gif cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\logo.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bargains.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_welcome1.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\adv.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\template.html cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\blank.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\adx.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\t1719060915.dec nls.exe File opened for modification C:\Program Files (x86)\CashBack\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\flash.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\ad-nls.dat nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\template2.html cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_click_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_welcome.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\Uninstall.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\nls.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\adv.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\Uninstall.exe adp8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\cb.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_auto_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bin\flash.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\NaviSearch\nls.exe nls8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_welcome.html cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\blank.gif cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\cashback.exe cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\cb.exe cb8034_ICMEDIAX.exe File opened for modification C:\Program Files (x86)\CashBack\bb_welcome1.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\bb_click_wider.swf cb8034_ICMEDIAX.exe File created C:\Program Files (x86)\BullsEye Network\bin\bargains.exe adp8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\t1719060915.dec nls.exe File created C:\Program Files (x86)\NaviSearch\nvms.dll nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\ad.dat nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\NaviSearch\Uninstall.exe nls8034_ICMEDIAX.exe File created C:\Program Files (x86)\CashBack\t1719060915.dec cashback.exe -
Drops file in Windows directory 28 IoCs
description ioc Process File created C:\Windows\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\autoheal.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\nls8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\zeta.exe autoheal.exe File opened for modification C:\Windows\exdl.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\adp8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\bbchk.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\cb8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\cb8034_ICMEDIAX.exe cb8034_ICMEDIAX.exe File opened for modification C:\Windows\nls8034_ICMEDIAX.exe nls8034_ICMEDIAX.exe File opened for modification C:\Windows\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\mscb.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\trkgif.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\adp8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\exul.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\autoheal.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File created C:\Windows\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\msbe.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\exclean.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\cb8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\nvms.dll 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe File opened for modification C:\Windows\adp8034_ICMEDIAX.exe adp8034_ICMEDIAX.exe File opened for modification C:\Windows\nls8034_ICMEDIAX.exe 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral1/files/0x00050000000195f0-88.dat nsis_installer_1 behavioral1/files/0x00060000000195f0-160.dat nsis_installer_1 behavioral1/files/0x00070000000195f0-187.dat nsis_installer_1 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "no" nls8034_ICMEDIAX.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Search nls8034_ICMEDIAX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://www.exactsearch.net/sidesearch" nls8034_ICMEDIAX.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\TypeLib\Version = "1.0" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\FLAGS 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\CLSID\ = "{CE188402-6EE7-4022-8868-AB25173A3E14}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ = "ADP UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher\ = "CB UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\VersionIndependentProgID\ = "CB.UrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\FLAGS\ = "0" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\TypeLib 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\ = "ADP UrlCatcher Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ = "ADP UrlCatcher Class" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID\ = "NLS.UrlCatcher" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ = "C:\\Windows\\SysWow64\\msbe.dll" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher\ = "NLS UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\nvms.dll" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ = "IUrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\nvms.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mscb.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE188402-6EE7-4022-8868-AB25173A3E14}\InprocServer32\ThreadingModel = "Apartment" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\VersionIndependentProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ = "IUrlCatcher" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID\ = "ADP.UrlCatcher.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468}\TypeLib\ = "{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3}\1.0\0 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3}\1.0\FLAGS\ = "0" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\ProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357}\ProxyStubClsid32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\InprocServer32 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1\ = "CB UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ = "IXYZ" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\VersionIndependentProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344}\Programmable 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA}\ProgID 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1\ = "NLS UrlCatcher Class" 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeBackupPrivilege 2636 msexreg.exe Token: SeBackupPrivilege 2472 msexreg.exe Token: SeBackupPrivilege 2944 msexreg.exe Token: SeBackupPrivilege 1492 msexreg.exe Token: SeBackupPrivilege 2724 msexreg.exe Token: SeBackupPrivilege 2540 msexreg.exe Token: SeBackupPrivilege 1952 msexreg.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2736 cb8034_ICMEDIAX.exe 2008 nls8034_ICMEDIAX.exe 2008 nls8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 2248 adp8034_ICMEDIAX.exe 1332 cashback.exe 2772 autoheal.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1332 cashback.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2692 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 28 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 2364 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 29 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 1520 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 30 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2736 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 31 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2008 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 32 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 2248 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 33 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1332 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 34 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 1864 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 35 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1900 wrote to memory of 900 1900 0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe 36 PID 1864 wrote to memory of 1580 1864 nls.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0237f17f99d9ebe657b2542897a64c19_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\msbe.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2692
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\nvms.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2364
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\system32\mscb.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1520
-
-
C:\Windows\cb8034_ICMEDIAX.exeC:\Windows\cb8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2736
-
-
C:\Windows\nls8034_ICMEDIAX.exeC:\Windows\nls8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:2008
-
-
C:\Windows\adp8034_ICMEDIAX.exeC:\Windows\adp8034_ICMEDIAX.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2248
-
-
C:\Program Files (x86)\CashBack\bin\cashback.exe"C:\Program Files (x86)\CashBack\bin\cashback.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332 -
C:\Windows\SysWOW64\exdl3.exeC:\Windows\system32\exdl3.exe 3~03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688
-
-
-
C:\Program Files (x86)\NaviSearch\bin\nls.exe"C:\Program Files (x86)\NaviSearch\bin\nls.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\exdl2.exeC:\Windows\system32\exdl2.exe 2~03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580
-
-
-
C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"C:\Program Files (x86)\BullsEye Network\bin\bargains.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:900 -
C:\Windows\SysWOW64\exdl1.exeC:\Windows\system32\exdl1.exe 1~03⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524
-
-
-
C:\Windows\autoheal.exeC:\Windows\autoheal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2772 -
C:\Windows\SysWOW64\angelex.exeC:\Windows\system32\angelex.exe 03⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\instsrv.exeinstsrv.exe ZESOFT C:\Windows\zeta.exe4⤵
- Executes dropped EXE
PID:2608
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Bargains C:\Windows\system32\vx1.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy C:\Windows\system32\vx1x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\NaviSearch C:\Windows\system32\vx2.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch C:\Windows\system32\vx2x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\CashBack C:\Windows\system32\vx3.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack C:\Windows\system32\vx3x.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\msexreg.exeC:\Windows\system32\msexreg.exe /S HKLM SOFTWARE\eXactUtil C:\Windows\system32\vx0.nls4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD556979b69b9ff449b792e53f7e956cecc
SHA16a63738d767cca38582ca84b355510a1cecb188f
SHA256d8e3e92fff45f70b62034c754201f42d71ee8e443cdfa550219623b24281aefc
SHA512772ceaa4967c57645ecfb0985a1b72f624a2e4ec09f0fbaca75abd98c639bd8609eb2864d45d499c35bd99863915ca1ffcc7505d2a77dd46cc664aee6f96fefc
-
Filesize
32KB
MD5812def7df63838ed0be0a2b6a3fbcdb0
SHA15c5aa6bd7e118b6a9d9f18c6ffd3d2b4c9cac18f
SHA2560376b21c8f4bb3231aa4c1afda7f491b20690cdd30ed4dd1680800e5e2a58d20
SHA512664a8cc8e2e27e4e2974221c3be842d7307facd93008cfc0c870d452d035abda1e810cfcfc20fb4cfe1d7266251ca1d4a79dba436d6769bf2ee8accc48a10be1
-
Filesize
216KB
MD5293b8f27d5ede0b27ef2ad2f9ecedf6d
SHA1994d3af24ea51f0dc326840a735a632d8569ead8
SHA25699bf422be6c81b10b423d0f33ff08b04397020b3b4b045024c36ed91d12cb490
SHA512b49ddfe6d357ea466c1e5771b67e6bd8e1e737db29b92e94712de11495c9b2572d7e999a6282446f4f6c54852b612fffbe8509dcc88bda5bc07cd03da8432f20
-
Filesize
4KB
MD56d15e76001accd8fe663d52cba4ef2e5
SHA1936329eec5cd422644bc15e2db33fdaf0172ba98
SHA2563db760d72de2d28630aa47bf2dc932ed99563f414e14a508758609dc6e3bd714
SHA51277972112b618680301f996546c098066eb43f63a0680bf419b2d37733177a80dc103b1efbc2425fa47f7b9edb44c8c58eb4b92ee4ec57378e9b23caea1180c87
-
Filesize
5KB
MD50feb450c9aaf40e8a1ac4a3d81f7cff9
SHA13ca296665e29c866d9a36571f43b9da721be4d9a
SHA2560220d00b6d0073ed527cd835fb8fe392b96e4a0d138d69dc9adf697121230c97
SHA5121c0c3bd5fa2d4357876421f56cf9e34751ff9c6faaa51e62a460ef5b033abfa1cad3d112d4d28b4f44b90bfcc3300379c057d200667b5f4ece3ffb5adc7ba451
-
Filesize
1015B
MD5d299a27a210b338e5229785b941cfdef
SHA1bf7d6f95922d7882f32c9718beaed1efe50e6ac1
SHA256625dc00715f006824984271660f829dc310ceb4cb45f8af401c304a3e5aae631
SHA512661c579b98c52191bf6d8fb79e98d91f24626dcfef36c33e31a3937623acb929a7eaf481dea7ccd56998b3bd8764287cf3f2970947c0928aca59c63727116d6b
-
Filesize
5KB
MD5c0affacb99623c4f9a2a878f12d02647
SHA1900c8d00e12fc1ac3af7a037fe4f1d33b15eed14
SHA256f698303cde4e0a6d6309107c72c3274fac5a9d0634ff470b977a78602305f518
SHA512acfcd619cf703222c3c25e1bf328cb2ac4e7497cbdf46b49ce273fd37551e7bb835c867ce072c50fe7214628c6a1a28288ee363f64de74f2c832b1bc23f7558e
-
Filesize
43B
MD5325472601571f31e1bf00674c368d335
SHA12daeaa8b5f19f0bc209d976c02bd6acb51b00b0a
SHA256b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b
SHA512717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc
-
Filesize
128KB
MD56facb09c2ea09a439c911515a2f32456
SHA11e26a2c37e06724f723080be15e67f516b9a2877
SHA25633a3f6628277aeba874c08cd94a9e559de2c13aa4179ed5fd5e570121a3ee042
SHA512a59b15eaf2a3cc68c183e883c4fd49a4d250201f2d09c42b9aa3ee03dc6311bc0cedaa5ec70eba3d4fefced3072cceac0657891d530522b1ecd52b35c52e02f3
-
Filesize
40KB
MD59899f2dd68fd636833ef144228ee3e8b
SHA1c770f0e7645d4d3262620bd52e0e557c700dd36e
SHA25640a105d2236e1ab6376edbd6c8611818853fbd8f3d851368def1b9fb9688862a
SHA5122c0968492161a3176049c122c7de18baab8456c2cfbf6cc4a8bd87a1cd56f378ea590129e6cf9aa98e0b2eff962ba54515ab0caddc9dec79904a16f5ec9d9606
-
Filesize
40KB
MD5e4d97541176ac53baca22e48cbda1acd
SHA1a3c0cfe8915e4a3de609eb4ba1b3d6f3e20fd072
SHA2563d8b609d207d3c4397e5db1bb083725eafbe45e043a639325d37f4d96feb8013
SHA51299bcc270aae61d59d0af32da09581ff98bd9f1b05cb7b93d4f333924bf4a2f712a798951e98b39f8d6a0fa42b91474533ce36706625572f1bf2bd00f81fccae7
-
Filesize
636B
MD5c2cb3f56cb075c22d7dbbb6dcca40f8e
SHA1eab286c5466c03cf0ec8f35c53e3468229ab58b9
SHA25659c4b81e937d00208a5b280af4eca09ea8ddacac57c79fb138f12713e4af1514
SHA51225738608e5f87b1e3069712359e81d2558294f5e0892026a1f3628fc5cd91075f6d55bde33ccec6c15610f68106d379ac29180cf0c3df884c48805c32cab03b0
-
Filesize
2KB
MD55b48ebbd988ace67c6d203657fb9225a
SHA1da0f8eedce95e19d25faf9668839c7bfa5cc97ad
SHA256a30f9227138042bcfbd601863ea6e2f8b3657f305efb8c77ad691ac279ca8019
SHA5125b4755537b7f95eb31e5f04aa51e01430123acac3d56a4f925dd76588bcc33c3b3b1a788ea1edfee584d8bf69e79daa470f674e5404bc04212ad3ae654d026a3
-
Filesize
878B
MD5d7ff52ea75594a565fac58da5a66f041
SHA110677adeab52b900ff7a242f8ae4f7710c79512e
SHA256b7edbc2853b8fce6ff23de355b41667efcb3274d9a4b6d6fd4e6dbe29baceaa2
SHA5127204b7f425a8d803f7d5e9db9f8ed86bea7e575dd71cadd63100d7ad2b2681ec08d715bcc776c8435c247c1924304d737c4d7249e3edf829b8d06203239b9433
-
Filesize
84KB
MD53e4a8942089709e8d79392a0957a8ea8
SHA186c601f6b9101bb588b8819e71e5044422ea0f50
SHA25635f7bf41136f7820889c06f0ee016ed2758632004db44eba7bbef9d006f1912e
SHA512ce6180f7d6d4ffbfad9f001c306fecefca20c0ff366e498cf0483bdd338888dfab8e38db1294ee2ba4ae9ef995e2cda1948ebe4acfb59f7efa2b53dc6525c24a
-
Filesize
84KB
MD58d9a9918a759777619839cf275127de9
SHA1fb8aeea3ed04ff3aee28a7e8dd9843779efce7c5
SHA2560336521180fd028ca546ee5687c25beab31b56e5eea6c91509b31ee3e620980f
SHA5126c5bce0ed532bbe19203b75f8466fc6422f24ce5d35f5441c0ba6b6b003ee3aeab1ecce7d25babf09129ae2e5be17c07e559853da459cfb5af7d48599ffbbc88
-
Filesize
56KB
MD5675a09dbb3a90703294bf4bf937a3816
SHA15662279d822d0cfeebf7205288a3bf3cb79476ce
SHA256a9fe9932e706a501cc4176ee7abe8f1cab78f54d916d5955f1e08efd7358701f
SHA512c28758cef03312125672ce05ebe8a07fc82caa33a808b619949e6339f82934d1e57e8e3b7ee2488c66cda457a23fec1f5e8f47a7c8d2847f804ee9c88be70d6f
-
Filesize
92KB
MD51141f409bf9596ff9b195dd34e307e40
SHA11f782d8b6b519e46702667316ff6f2d962112872
SHA256c300833a63fb6a90eeb807e3584cb8bfe2ff4b54d5e19523db1a66fff6a68932
SHA5124f340e4cb8f167cc8c40606d9857bcd7cac34b5838aa6dd58464d81c0d903437a890cc8739d968e3dde887579599991878e8b9bb7575af655495ffb9abb5dadb
-
Filesize
164KB
MD5bb83cba39e9f69b0ea9f79aaf1cef729
SHA1a0d98be45bb23f8a6feaecc1092f2ba3dc91221c
SHA2567036a541caba0e20169f8cb5a906de7a7eaaec862abe5936691acc1a2657a057
SHA5120d506b0151b74e6317fd63dd0671cf6294920e1f052861d983eeea40a7ee1aa31f4c108f58615cfc85bba22555d9abed95b8dea9cbf82136975a996fa4d95dee
-
Filesize
12KB
MD568d9018bcfa92be76496c143ce4f9dce
SHA16f48c0d1910bc6c0b6ed005fc1c540de002e6c6e
SHA25655640c5d5611894e5ca968f0d14e428b86a6f664a8336593b93bea61d48abda2
SHA5128c503e125cb96a6483593c259684388150c4702112b89a9740f6fc50ceb676ff286130d71aaa544bc9bf317b1d6ec7c1ea1c79b360fc4d77483b8bf2cecff5a1
-
Filesize
161KB
MD5c2c6fcaa3775bab675859ccf937cb93c
SHA1dd4cb09f48cf713b2a51aad77a13922bbd89366c
SHA25681a470036f9c997c949ba57149a9f7365af610a0a4c94d1dae5f0612cb467eda
SHA5124d1533c34ad851ccb89a84fd3d5413f1362a12ce8e631e03e47b6afe554e4fe79b10061082edd3ea2cd27a590219df70bf7fa366ba7ccdefe4db61414c492cd8
-
Filesize
31KB
MD59f51cdf75d08b49ed39ebc05e3374bd0
SHA1de37070deeefc3ae9d642520d1be55579bfca45d
SHA256b87851eb4df8069cec166317fb079a46da5699faec098f0a5cb7f0a8a25423cc
SHA512965d69c849cf9ec9ae66dba5d3948c755afcab07cf46857e871c18f5d6ab89171da91c5a6a4d28323cdd22bf81e669d255ab1610566de1da58884fb08bb146d9
-
Filesize
108KB
MD5799431b1ba4ee0dd68cd3a7097ef20a5
SHA1da34770c2fe613cb90e2cc452d29f1e101f04ba5
SHA25626594ac21f6c4683286b5a29920a4701211fe15f9ae9c91db34681237314bc7f
SHA512e7bade33dc5385940009f4500ff60f99a557c0fb40f93fb772cef2c34a2c25d7de2429faab42a31ef6b5f84ad40238f44893d3758925e9a2f17ccd3062fe9c7c
-
Filesize
36KB
MD59b571f4eb622096d7989dff203b0bbe1
SHA1c9b192394dba6e2e77247a6adf0ac31c2a3fb8e1
SHA256e08ffb748740b4cb4b11b210e4ae5cc5e9ec8876e8c79179fc2bf111ccc37c37
SHA512bb2843f6a3252b6ac7c051624b2e9f89dc3774805a09bd9d4af3394f6238a4a0096dcced94e809156edf4813aef27198cbc822bbe4af2bcf547932dfe1690d88
-
Filesize
132KB
MD5cb90a48a7bc692a0165dc5cc79454c5f
SHA1a82128b70b00467029cb4de5df44838e5b45fc26
SHA256f7319462926520b3ccee2731a1792235d060ce26356ccf361777ad530fe5ef1d
SHA5121274c144f0556085578d52013d1f996dc5b998d79458eee03494036d9c2a32549cdeab2c84e02f03c148001fb42a6042771281209ed14a6ff535d5fc37a6882c
-
Filesize
20KB
MD5584c95b07f7c32469e3eea5c5735acd4
SHA14c90b4884fa1efdb50ee7ce88aaa600549e65464
SHA2560d26b912d323d509a29466356772fd03d4006f8c253f7b1243149af2a8ff8073
SHA512d0728f09f6aebfa11e1476854254b2bb0f95c6846a7f27040fc751befc6fd94b77c931d40c911bfdeea8af8ce3a338797727ef1828f52d0cf705ffc31c396d99
-
Filesize
80KB
MD5f4eaa09d78b46f943f8b093606866301
SHA187a1a3cbf775501f4285d949c42a3b8b52fa79af
SHA2562e37739c20b29bae5f558a8f5463f7aec6090a97cb5adca6e8b6fb50ba7559de
SHA5127b1720684348dee4b4f3549d8dbbc2272c9cc2f364b26085401c4c861d52f3a820aa99aa2dabd99be1df38797ff2360093ea6fb03e0a62f7821b1416e2f3eb4f