f69bb8df437fde3ad1418a68618a07e35b1fbdc5b37f04326c7e0c307ffa6db8

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
Size

161KB
MD5

07a892f110c29cd4e42cfc9a95dd84f3
SHA1

6560bca43717a367c7488442d23208fd02c1439d
SHA256

f69bb8df437fde3ad1418a68618a07e35b1fbdc5b37f04326c7e0c307ffa6db8
SHA512

00f7fe654c5a7f34ba1937d00c77916a106b67375db3e5a8da86e0be2c77e8221859c355d3994961ec5a74268eb94e3b3943a1e42e306d16c47cfe8028d16e7a
SSDEEP

1536:9ugPyptzfguPH0UqxH0a2Fnk4dYlHVIVzNIFbfs4TQT7TiO8Jxq5dmrhNv8n3ioY:9ugPyPvqWknWkbs4y7TifAArbC3ioOCU

Score

7^/10

adware stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2416	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1876-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1876-20-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gopfa.dll	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\p.ico	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c.ico	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m.ico	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s.ico	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BA1E89C1-320A-11EF-BB79-CEAF39A3A1A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004ca79ab5bd2678867ca4fe4fea37069fddf35798ebb65b14aaafd7ba85a97628000000000e80000000020000200000009dcf932424ee41c586d45b155fe260f84ac664da5f4a5eca1c69c57d54e72375900000004de631654ea34d0c340ec72ce8f0b9dad1c54bb40d47c0b7845e2a3eb2a359573bc9401d35d48fa9c5f2b239020d5f0d386b5c27262b8549f5bc767f4db4a9052b2e1afd38ec2ee7a42394d7aec527a8e9bda42b10521fb43aee64183d557f5b56e974398fff542791cc42f2c0c06846bf9e0af46d85792309a72887691040e9d18a9a2336e1fb7fbf1940898fea77b4400000001d3006b6438a8a4e08eb90cbf5626ab4976b62c3e21185d32b8caf10ed308f56e9440d3ae1a6ebba52ed4b18ba95cf60a7eb3dab04c56f9e170e8ec857c6957d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000039353f1f20d25036a013896e929acb27239b552b255a6136fc521232d806da5d000000000e8000000002000020000000b3ab8280f30a30ea0558f80d4f92cf56b9fe58caa31cb2f89e7f70e0ca472a9720000000084b4059b2ff3b0bcbc455c797c5eafa91334527c5c0c046dcaba92522b6c35a4000000067d1a07edf7125514b8a5cded0a45b7b46025e0a603fb255e039fbe4400b3d1433a276373d31315e469bcde63f82864f8d5e521c58af67245df12acef02914d0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0044c38e17c6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425382579"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\ = "Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dostal\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\ = "Lamsa"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\ProgID\ = "Dostal"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\gopfa.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dostal	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho\CLSID\ = "{DED2B61B-1A26-4566-BF2F-DE539D4468DD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib\ = "{10026069-7A5F-4531-811E-C8DF20643BEE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho\CurVer\ = "Dostal"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dostal\ = "Lamsa"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lalama.Bho\ = "Lamsa"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{829BA8A2-4515-4D62-9A4B-B89D4B55094F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{10026069-7A5F-4531-811E-C8DF20643BEE}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{150119AA-A801-4DDF-BE5C-14CAF721A9FD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Dostal\CLSID\ = "{DED2B61B-1A26-4566-BF2F-DE539D4468DD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\VersionIndependentProgID\ = "lalama.Bho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DED2B61B-1A26-4566-BF2F-DE539D4468DD}\InprocServer32\ = "C:\\Windows\\SysWow64\\gopfa.dll"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2644	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2644	iexplore.exe
2644	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2416	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	28
PID 1876 wrote to memory of 2644	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2644	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2644	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	29
PID 1876 wrote to memory of 2644	1876	07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe	29
PID 2644 wrote to memory of 2672	2644	iexplore.exe	30
PID 2644 wrote to memory of 2672	2644	iexplore.exe	30
PID 2644 wrote to memory of 2672	2644	iexplore.exe	30
PID 2644 wrote to memory of 2672	2644	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a892f110c29cd4e42cfc9a95dd84f3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\gopfa.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2416
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://megauplinkbindinstaller.com/bind2.php?id=
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b2685fda78aff36482bf2da4ffd9610

SHA1
28ab14a5d68882f27e3839436991c940bb0de927

SHA256
899fab5cd1114fcc48e13391e4971ff801732e785a99ba9ddc38839f4c87e5af

SHA512
920db28eedca7fa1a603a0e6c9b6142d870f1e58dd0e957529b7ccc8e3f39337b0379397bf09dd5ccd5c967e331d864f65a6596d4e8d6a391d3b9346f25bbde6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69b92993075b5c2391bc17378e1022d8

SHA1
32c9e8726b015811f5827352e995e0116e970234

SHA256
7ccc55fa473f0338984cf4bb3bdfada4fcfe1fa5b3fec5d8efcad993c540eabe

SHA512
36d3ab3135ce616d0e2c84df1c09f1df518229591f58ac694c3c931d674fa830c69a5e843a11c80d39be80452d789a9bad4ae090913b0d02796e27071baa34a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7680e4dff203a9756d3c71df62039b64

SHA1
ef0baa144941a286fd878420a6c40de62e8a282b

SHA256
52cf006bc39ae91cc5db4e72100fcedf806d3ebcb33df9c44235ce922d4f653c

SHA512
e03cca90cc45897991049ff350365bf50c3b1fff7504e41e582f530e29949d6d1833a74ec2fc66ce1e0d408b61190a67009761d11e6ba6d88753f16f7aa788b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc1df93f3be628527a1a422d34deec92

SHA1
398459137b4ad2467b383fb9421cfb80a8e479db

SHA256
d6a064d1527e5daa2918f42d81df0c621b96f193db091ebe9e30eeeaaa8f5334

SHA512
c0d9417a7c64687315527d9bc8293bbe9d1b8207f26b4021866b4224e8ff040ca23be2b7a1a6c328a035bc2aee846e17934dc6954a9bd88db01f78c727fc075e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ed6e9298c96b45af18bfb14cb2d8ac9

SHA1
7b3958bdff2379e62d2e96ae41cc4e7fb46af698

SHA256
0a4cef5a8e44f65810d4e52f450e24ddaaed34e89d4bd699c8b9392121590cac

SHA512
91e30918c94a1cae01b89f4214bcaa910f7e270f82a18e03d6b3ce1d84358bbfe8cce503d63bb1089e38b6773a07497cfc03ab405985f46af65827ff594f706c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
259714b12bcba3d66593e49e294b8819

SHA1
dc0ce2d00d3fc52017bff26eb50a1fe4fa27fe43

SHA256
c6da522efd7db4a8fc3ee9d4c59247a69fb703b14733699a717403a2a1ca13bd

SHA512
4cd4cfca7a3e9cda191d08fcec643d587f46b7eaf6486aad29556064dc5f72a54d1b472ac1a0c4fcddbe8c234700a6eb1ae19a09f89445f1ac485fd230be2235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65b573cc9ea1f9625f817c64463e7047

SHA1
4e75b758c3b3c937a1c9614c261d43a9bebc5ee5

SHA256
93ec1ea7dda950840c39dbf6d99f81d7c5473a5478daaba5036a21cd52053cdd

SHA512
7e24a783153c0a07f5c574298756d92cf8e868c7f9f73023fdae0264fa22c43c29390063fcd720635f70163d66580038691ff034657ae6eb51202f52bce2d445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32307052fc8f216e62096a0399796db0

SHA1
083cf2c01c915c8f1b6cece025c8f14ecdb9d504

SHA256
18300a188d9bcc7ad27f15e8c3839bc6933707f77a580b3f9728c83f580edfcf

SHA512
b141a5b0cbb3c9ac57165ec0581428b1c07d4516d9b6cbac669fbd8af0bae1903363ce35d58711743ab4238bbd90622b4dce83b8d20dbae114fc74b5d6a6f915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f89ce039bb1a15350485499617376d2e

SHA1
fc636bd0845f761c30ba0d38a43eeb40cfe61fd2

SHA256
69b33ed94bc295409db83cd1983200e16e3b0f1fe699746d40915af9b09d7be2

SHA512
a54060b2b3ba6a7e38bfcad6382b541c292423caea43d180b9eef05cab02c214feff1615ddc13681dcb3cbda1dcd5bf90fd0b2b775581b44a1cdd36ba7db7fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f9452c63b9c049c9279378b99ceae97

SHA1
e28ce5d116d6570e8be439f9ec00779d8178b28c

SHA256
7458e7134017a0c598e20685bd8a11c3697b94d8978dc672cd32f728d4ff85e2

SHA512
874239af075f24dde7dc947cbe31c23814001c68c2e1d40a0b6a959ab6e9111c2c667815a9e31b0ae47e95ca0e9b8af7edf9d1ab8a2aaf2c2ce655c05919ced8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e653e8d0ff6a2d5dbec6d92b12fd571

SHA1
182311a22cc931dd64cb7e69231db22e6de94421

SHA256
3cda50563c906857db522ec5cef9810c9ffc640869f3ab72b808ce7803788130

SHA512
54b7b231617a9c5dbde3b623d7a87906f8882c69ace3ce2f9b793c7d701f04b16a0e2bbeae1eb6d77a9d1434f30b8ad65a525907202e3c00554fcef4fceeb22c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72866c6854c1b4b4d9ef8f4b0091d3b2

SHA1
079c68df7d5607e47f1fe968f2719376bfe3359e

SHA256
9a21b261345a1bfe8282f43ba98f6bdac4316b29e6a9747f2f6ca58b96f8929b

SHA512
dfac2e1f277b97634949189d1fbde9d199a10ba0085aee2df2c95a5f5400e4abadfd3815c3d6045ce71ff0ab0d81282d9a32ed77c31bac2dd674e59275b727ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2362a330ef5416843cea15a77f881868

SHA1
bd9b5ff7520aaf324c48a9df0bdd14b28e6fb0be

SHA256
624593a3b5f44a54ef41bee43e013d4c339d1247a09ff84c421b5217082560ed

SHA512
9f4b0610fa895c9c7b9c67de23e3c876b9dfb683be1c402711443670a28378017dfcc927215fa59ee10e40f0e03e88f6172e4c49111213f6fbd91674b46046e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06121306994c8dbb31a27b190df2d5fa

SHA1
9d327fd321e8860af19619f292579ff4f09c1df8

SHA256
e516f09779e8e54cda5b441257932dbe65fb74e3812b4849b38f07037655c146

SHA512
2bdb76ad29458012e5fdd15b2a337a9bbc4914776096d6f11cd3cf0ca3f39a892b12c50903c349cff765a0ad6e88ee766a3919c48c6433d2ed86275dc557b3b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddc9afe588fc0526178b2e6e91eff581

SHA1
d9a1b29660601618d4d7ecc647dbfae07b63cb95

SHA256
c2ae7f9ea1c20143164b9c8f5021a9b21094578a40f5b20a29b8c10118e29dff

SHA512
b65f5f19c4c7e152ca40449b49841df1f38cce29ddafbc1eb8f34bc65fbbb3bf9f5040176c2307766d065619c2556b9da3778398c13b011288c8d15a1fb5a826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08c37d04ec4e6ce271c2a768006e05ae

SHA1
a653c61a08ee2e8abc079b0d62adb03a2f07fb3a

SHA256
979730f08ecad6d02f89d914d3f479c306d908b9c954b1588fa63bc21ec3b99d

SHA512
c82d382af8380a794812a5a8f00d2a95c470e4f308168234df113957243d1bfb4ecfd9503ba16dea5ad0ace30f48475eb82426fb249ec3e0685ca2792a8f27df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0e356ce401db39d5dcfcfac672e3681

SHA1
f57fd5ef8c2eb71fa1d7b596f3b13740119983e0

SHA256
f8f4560ea726b50dc2cf138c183825579c33f009b6ada05dc0b13337583f43b9

SHA512
3e1ca67a334bea9858240426a2e76a1455728f63a6af89eb22d98fdfde7e07e3758db2679af225b8cba6390ce21cc1bff64e54ed74837c0daefc5ad33b4eab75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
103daec8f54feb9f17ed58fc042245ef

SHA1
41385a1d0eaa46d6165831b8534b5fdd6c64122a

SHA256
392142d24bbdb8e718af8725a9a6ceb7e6e3ea7c9ed35364ce2bd29b661d9187

SHA512
bfe9c3d4c67c90373e2faf432cc6e747036881f9731bef70ed878e9aa5f208aa346b05f9cb4c0ec9f33ec2fe52b37a3611f799978b05da1c4fdd8f892c92176c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d4c8e996c27b338067d184de15dbe53

SHA1
f6d51c92df23c92f017a47a621dd1009cc8f2632

SHA256
35d0b1622f579b95d4a87bf7f2503b9b0d71d481b8b2953bb0498c9f036885e1

SHA512
ccf37c39287fd84eedd198202da4c90c011e1fbc4956e1432dc44a72bc3c40625826e9031ad25e8b1eed1a349e805ff900d1bfa554e4639f45ba8e942478aa5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3601.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3695.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\gopfa.dll

Filesize
64KB

MD5
96666686b1aa4f9c66379b7ee0464001

SHA1
6491eab90ac6063c8fa40d41b8288e4f98b02661

SHA256
800b635ef838e57d58f54f5b3cc16954accd861a694d1042f7e2c60a4bc6d91e

SHA512
0b2c8c228658d9da1fc17f1b02ab4981219ef3761d9a514f420c2b97e91a66aaa90a90fc2dd5ef8a6c924d390a0ee397e36d98c17645b1edb3fb4b6ccbea7cbb

Download Submit
memory/1876-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1876-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads