Analysis Overview
SHA256
fa9bb26778829a58c0b15ea253f3b37c4d930be1b832141b371f232361c752c2
Threat Level: Shows suspicious behavior
The file 0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Adds Run key to start application
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-22 13:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 13:04
Reported
2024-06-22 13:07
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzotunrxwmuebgkad = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{135D506C-0A20-3446-81D0-BE63E20CCDAF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{135D506C-0A20-3446-81D0-BE63E20CCDAF}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000002c1a6ed5b0e65996033f9d28ca19e578d4ebedcf1ef3546c06dd94c84b68de8b000000000e8000000002000020000000391e7b3fbeb2fbdafc108421c4fb693dee86dd97ae84f3660e4e7a21e45a2c2e200000005f8fa763cc514e9ebd0daf15034e5311661e98f9b296c0dc32d1578284a829de400000002f1d606c9109d700002732185dea5f1e1246c1e1f4823b7536775caba00356af8ba2985b2e0d5dda997161824ab600c6f5e5e9494e55ead783f789120bfbf2e1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000001a02a77d1cc92b034c0ef50b6f11f85d4e7c05ad2e0bb99d2ab58486dc3c43e4000000000e8000000002000020000000c7ee8dec001ddd94a9654b0024c126edb88e8fbd37a99f54033fa5956d299b3b20000000c9f1fa24253bc111115f4b6b93fb4db1d70057dc30f611e75af08b59a16e0cd04000000064d128cbf6279e4dee4d18d33ce4ec585e17656380a333402b23e6fcabc8d8c4b53e4795401758bd48373fd369e0b463d7213340540764e6c18ecd870f7c0b05 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ed2deaa4c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425223375" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{068A464E-3098-11EF-9519-C2748A3A93CE} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401935eaa4c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{135D506C-0A20-3446-81D0-BE63E20CCDAF} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{135D506C-0A20-3446-81D0-BE63E20CCDAF}\ = "precisead browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{135D506C-0A20-3446-81D0-BE63E20CCDAF}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{135D506C-0A20-3446-81D0-BE63E20CCDAF}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{135D506C-0A20-3446-81D0-BE63E20CCDAF}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2508 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2508 wrote to memory of 1908 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3744 wrote to memory of 4676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3744 wrote to memory of 4676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3744 wrote to memory of 4676 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 13:04
Reported
2024-06-22 13:07
Platform
win7-20240221-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\axpoxhjktqsxlmm = "C:\\Windows\\System32\\regsvr32.exe /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42519802-2AA8-C87D-F2F2-EF51437F580E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{42519802-2AA8-C87D-F2F2-EF51437F580E}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{068F6DC1-3098-11EF-BAF4-4AADDC6219DF} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e238dba4c4da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c4e4c9c28b47b43ae04ad516d94e0ce00000000020000000000106600000001000020000000a67d227f90e8221a8552f96179151e3b438870bffefada57fe0a19c227fb3676000000000e80000000020000200000006071aaf4360d8eeb54c0cefd7be00a701ad9ed6627322b5182bc00aaa33b2fc5900000000f91c9d4d26337c8317f76c8950bf8fc1db883eb44aeefe78a73a06338298690c4307b6e235adeafaf2540c0789a4bcb163756213df63405f072d3a573372ce9ca0065eca6b583259a8626fbfa518eb1df876fcadf61f58af34d5b80af3857762c68f0f9be7b855fd9ab13959595232ca460cb199416a2402ebeb2ea8dc62c6a4fd696e08cca6cac511ea4888b017b3f40000000a3ce0c3fb644fd986d9361487149df7506f95bdb0703fc3001c8f8574ed186dc3cc8a37fc056153f67fa12ac5769f81da46e67b815194620b336d9153e65e461 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002c4e4c9c28b47b43ae04ad516d94e0ce00000000020000000000106600000001000020000000e7a96ca4adcc1e582551c8183f18d7cbf71351cecffaabf02097544e817c4430000000000e800000000200002000000005e762e5b38c2ef76e68d531bb393b210342368fceaaf682590a179613932eb320000000c31db16977fc9b69fb36ebbe2dd5858433b25f5cb5ca7c78d948be009f5dd240400000006dda6cbe7b6687913521cac13a19a3cf919e6c8492577a7fac504f6e4c8745f9ec15838a020e07e28d048335e299c505c73baf41d87d06843b186e65cb2d2d41 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425223365" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42519802-2AA8-C87D-F2F2-EF51437F580E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42519802-2AA8-C87D-F2F2-EF51437F580E}\ = "precisead browser enhancer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42519802-2AA8-C87D-F2F2-EF51437F580E}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42519802-2AA8-C87D-F2F2-EF51437F580E}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42519802-2AA8-C87D-F2F2-EF51437F580E}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\0243ce7dd550e1ed8ad6355bf37c3766_JaffaCakes118.dll
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ads.precisead.biz | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2972-0-0x00000000001F0000-0x00000000001F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3DED.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3F9A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba9a2a915cd2d30000d3642c1521eeed |
| SHA1 | 049c0432c52fda4e7d89e42935b6921e2e3e00c2 |
| SHA256 | c1b717c7fe77225d25b0ff05832ad82df8fb9791d9a14616e0f3fc6cc0486a24 |
| SHA512 | cbffa90552d3f4681ad76026b73034f4ed2c0d2226336ab27b074a0c1b94283997b12de86ad700aa524b9a54b5ea6c56ad1ac18f4a033ccfa3bb31f68cc526c5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bed01d1545e9864a4fc5ba47a4e142a2 |
| SHA1 | 59b2194e9183d7b58a5d1f18eed21032a6d4a49a |
| SHA256 | 54d60d7b3871316042dbe29978e63841e20927a7b803f010f6a8257f77871115 |
| SHA512 | cca0c6a6d7322d1d18b495a613d88a983b33c8970daed819a7147f5618c5b5f49c87293596587e068df3b414e5a90a40c281474e0e530299657eb5f79c8a10e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b34387e6baf2495ce6153ba8d9ce735a |
| SHA1 | 69e8e61f112a324b3916d790a29914b61c5d998a |
| SHA256 | 6a8ddbaa48e1e3f683f400e2582510950ad2a77d4cd3d2d764051129f97393f6 |
| SHA512 | 2a1834177b24afe8fec43fb30d46d61692ef20248e5afc9506da09fb6e8c980f892992d3ce95f37add7374e4a8714392cc6885ed1c079b33c51432b553b37a76 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b54e38a2c3faedf99ebbf887b821378 |
| SHA1 | cdb636122fb4b74382c6c2fa0edf244fdc9f5481 |
| SHA256 | c3ef4186e924e6b9e6e65dda30e03bbf59d399cf5c45515521371d1fae88523d |
| SHA512 | 1ef2b7816bceeec3e6e317ceb69f9a46538561e06048ed1e74393462db4d5979ebf2a871e8aeb63c7913cf43572d7df5bebbdc001b95db5b63481164fd83ceda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96d04a2d6ece1ac479f396282dbf876a |
| SHA1 | 85ddafb282f948d6b8474e0fd5e5eb5751f17fd7 |
| SHA256 | 74319178858a70208f0d3130d2b51a8f35a5f7cbe0b6348a39afd8e9fc6de62b |
| SHA512 | 1a164c69c728b14ad97e46de57aa72fd67d411df0683690b9bf15cc44000de4215b33ed616e04c06a41b2121e2b1e0cd1479b8e56ac998e386fd3a4c5245d1ae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8765032975bd540031aba5489edb592 |
| SHA1 | 7588e61700c6b8aabf591efe98af58f70c70b4ab |
| SHA256 | 6275db3da37d8111a54f492d6558f01884cabfcc44e8b90399ec1d983c4e4d4c |
| SHA512 | 983820ffb024be953efa39c8d60f512133a105b6b64ec58769c12aa3eb7e32ea6451dbd033dc85419c886fed475d5dc0cc55dab0fd748882160d2951f5e5ece8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f6df443114fef6c0a20fc44c237e5da |
| SHA1 | 56426c19a482039bac7fe3c9ee527f8d2d69d42d |
| SHA256 | 92db42e6a267af426ae46cc0e152bbdd7e6f9a0290f3afa5b42f32eb2cf240fd |
| SHA512 | f171f5df1b1169ac440c4a86489422cbbdca34ed42828bfb6e7faa100a392cae452ab9fcdcc078a0dbd6992c846628dbebe3d1718ba31d2cfbf4f69ec3d065cd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c91acf7e9d96569a3e7aa59b78e75b3c |
| SHA1 | 01f578f5362f35ce1824bed772a4a8c1da0a9b0f |
| SHA256 | 5c60c61f04a68b32eafe804efdcfbee3d8450de7c3d941d4ddac9c334f2717c8 |
| SHA512 | fd6d6ebf56377d854c1a18828d969822a2ed86fcdecf3943828a919de05a61d9f2b3be0dd1edfcfa11bdfa01139be4ae0c05988b3510511a56279f9178459609 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26cb20661dd738facfd8e3046766a2b4 |
| SHA1 | e0fa6afa07324c9ce7de322cf9b4aad122b26726 |
| SHA256 | d4f905af97540946a64314c32745e28e7b1c38c82706c6841a27ac0e70d941d4 |
| SHA512 | 34e1560039d5b0b7153c54267358dededf92d2fa7d75ef0c41667dd035c83a4a8c1d8f6c8d94d5b61eee0f13c675d952d5ad37e7ad134ebe065ab24ae1ceae99 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d4dc852d25e1eaf99eee856103f2ab6 |
| SHA1 | 8997ee812b6f8fb2160ca56f02349276e4475a24 |
| SHA256 | 46c663b2e11e329a24dde375afced983c5e2e8781618f4dd1512343996ba8878 |
| SHA512 | 8440537a7c929198a83e4e1ff7b13f6de8ac6cbe1c08cfbf2fa5d4a17122c8d819a48899deeed9a7c26adb5e1e9770933dbd067d57d5c1a67a3d0683999aaaf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 108c9ec97fc7bfffecb1573ebec80bb2 |
| SHA1 | 463488754624db096bb59696e9967e7167f2d454 |
| SHA256 | 01dfb9f9de7192379e4a214037447c0611ae071510751b7b584ea75058dcb384 |
| SHA512 | 5846a002641f716ffe1aeb75554e615da88ab6cc016c369a1689ba8d59cfd02467f0eea2c676b9fa3cacffce7b0f730db0e7a64c0171956254344a00d99d1b90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb3414a5d6e085c1b8bb5151b99c6b87 |
| SHA1 | 8244a3d84dfaa33ad2a89273981a9eff1d28043b |
| SHA256 | dceb9d82b8be2544ce0e3a778336ad05d6c9168bab3ba197ad5b8ae10e720b25 |
| SHA512 | 2627074d3dec47b6fb2b35405620aeb1c88e3de24600a9fc4134b643d579d867777c237386bfdb6286c955e53a80b39836c06faf0ab06844f02629e604912623 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e93c43423b0f73b947b161905f88788 |
| SHA1 | fb1fcd3fea14ea555ad8d532e9fd47f1e2abdb5c |
| SHA256 | 8a0c64f745efb0b90ae6fb0a04011d4bbe1e235ee580304f2c747674defb40a1 |
| SHA512 | 19d24505274a8a3b5d0948b0f8d18ab4d71334e3178b50d31a60e1786d75bbfcccebf18cc6d934db03fcb42d08d7ba77cc7eb05f28bb1411219e73840d99aca9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7705e1da6d0f3ab1ff1c49f9dc390ac6 |
| SHA1 | ba603c31094283a5d25937235df9cc3748f2606d |
| SHA256 | 55d990288f76633228e5fd57430d42886e472cc828af69d948ee8fdf5b9886dc |
| SHA512 | 45d21122bdc062eb8474157216095d35c47cd441c6bbf0623373a835090fafe63bce2841095ecdd49c2d0619ffc002241cadd886b57259778e1bb81efdbed485 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5aeb42d437fb0a66cadc4a7118c861d8 |
| SHA1 | 1da512ae49cb5cd251552441975bab21526d04f2 |
| SHA256 | 5c3d5c55d9535313f2d1aa5205275f25aced3320c965c94a40d4584f5cc2a8b7 |
| SHA512 | 82f79d885f22ca5085d540c1ed76d44f42d8825c6684edce03cb96441bb2d1b7bcf513f94621a2d2a966752606c5f848e91ac64eb1701bd3ec2e05bc79368aa0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14495c501c9ad3b7f2b67acd01533f74 |
| SHA1 | 717ef5d3735989fbac5fadb9adc7188134c83e9a |
| SHA256 | 842c8f7c265b86c737dd0b43e09c93781ac314e86537c8a7ce67374ba2070d05 |
| SHA512 | e0578201d90a0416bbd0fb78edd667989ec504c190c1e7ae46ad6fccbb97ea3230c6614cdf60c9af254b96a515f1c462a25b1baf898d0ac1c7d849d2f72322ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20568bef8f46dfb1df565d9855e54099 |
| SHA1 | 61d3526277cd559a2c26ac489d543b30e8e599ca |
| SHA256 | 426bf74f0a176b1efc2e4d5038bcd25f7c6b7fa64576109b29f271a1f4fc4bfa |
| SHA512 | ca6f861fff0607b5113c8a13d40d56cc63fba07b2272089fde57d3ab318598a8b031aef55c32b167db448416db93cc6bc0e915fbd4ce9d0a41691afce7b63320 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c4e3ddd54fd92690b851427440c7f56 |
| SHA1 | b1f1f45b38e0da13a1651c1c59f7b6301fc99c2b |
| SHA256 | be01e7f9f3cd2313ecd3ef0836d95575085b3ba42378528c119f748c358268bf |
| SHA512 | 437b890354b9d87c86d8076819f6ed7ea9c57b8937c1e470e29bfc06e2363a6088ea8fab28244b33a0154808781f1fc0212bb57fa9b82320e06e98ea5623a8a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73ee8ae81292a195a6956c497e31ccfd |
| SHA1 | f406124b1c6b2601c166b63e2a09fed8d22b9e55 |
| SHA256 | 0e89063e5c3834705aeec5fddad1c0c955d693bcae6c7766389286efc5c54da4 |
| SHA512 | bba2d1676295a8a2290a904cbcaa4f17528d1a26b33971b6c3167ba795eaf3bf8e2f6d13bdb43179473e2603075433022af67eff7dc9618e1332c4121cf1a58e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0da700bd611d25a52f68e43c85f85e4 |
| SHA1 | 56728ac68b05ee7f9e50180a9cd6dbea95846153 |
| SHA256 | c351b2e93ad1a27a07b62e874e30a4316f3b8074f68c498f81954bb07aa7dc9c |
| SHA512 | 1d8fd4c3da5fcc7b823652d27a0994e0893b3f44ebf7e382f0a799e291e90e892ae905f6a7dd1c514827be0e8da6e4fb77a862dd6f321b693e8f0c5bb7a83a78 |