3efc1ca8c300134b53a71039cb21fd43306a31773a3a9b755d927ee92fe727c5

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Size

172KB
MD5

087ba2145094b22f951a49afdfda3239
SHA1

19b17a6c7b676770ca34b7c554c1ecbced427a8d
SHA256

3efc1ca8c300134b53a71039cb21fd43306a31773a3a9b755d927ee92fe727c5
SHA512

e38741bb07edbe33523f25623405307c5831f1a7d335ae3c811418c8f209cb25e58d5a088e8c9b731d83f0e60d201633637437757a369d09a553f2b0d7a2b657
SSDEEP

3072:6uZgPi91VPdIuG8UvahsdcYX3UI2EuJ3im/ZCdady+RlTp/VYq63+s:6ZPi9PBUyhsdEI2++M+RlTHY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1924	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
1924	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
1924	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
1924	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.ocx	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A399FC61-3224-11EF-A5E3-DA219DA76A91} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000a701fbbfcc015c5241d0fc0045d60a8563f76e5a1c4b08770cd4adea1881d5ce000000000e80000000020000200000002e12637730b0986da36e40f1c65d7b026e6229597e19891abde48549ae482f0d900000002e4b1e5a9bde7c88e37a1c08fa85bf632aa5392f133e457d179b4a73c4d1b73758ad9a06f68d2b3d888d7337d2e2b3ad667336995ab461f7680f5e2f41ef3b109291cbb9e71cfbc364c09048563ab5830840a2b66f2a6a622719d388ba96780c1c91537a2e6512229704ae377b4ce9268a34782f7e5896fe5415570809b82967744199a74053e65a2fd92bacfb9b920b40000000e7d60bdbfd38ab4327e745a9375dec57ff8d67f4e2bbbc4eeafadee5ae4e682b6dfdc98d155f123898d1693663e0f1d5538a43463b43230fe9d9a6d4dce3ab2a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000268dbd2ac5c5300c77b09a6bcd53e21c17b84deb8f453715208e6609e7cdf974000000000e80000000020000200000000c0f2bf9c2ed8e8568880a826cf25d5f3145e67b3effe4c8c1c716e8a41fffaa20000000338670f4594b77440f4839693085b587ac81749863834a2168b3ce25ec81e94d400000005faf411658451f123034b34325c619e03a833ea609ffe240d540fcdbaf17293927af80dc1a30f68d997d17537bc2828c923b6a613c0edf804f94226f268d4915	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40eacd7431c6da01	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0 (SP6)"	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2604	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1924	087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
2604	iexplore.exe
2604	iexplore.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2744	2604	iexplore.exe	30
PID 2604 wrote to memory of 2744	2604	iexplore.exe	30
PID 2604 wrote to memory of 2744	2604	iexplore.exe	30
PID 2604 wrote to memory of 2744	2604	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\087ba2145094b22f951a49afdfda3239_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msi.html

Filesize
1KB

MD5
9235d74601a66d4b22924a788699e08b

SHA1
0b72c6000276d751d7d070fefbbc5d502c0c7ffd

SHA256
d9a13acdfdcbfe102457dfe24e1eaa1fadc166e5ab296f46c89e1739733f4bc4

SHA512
8466f5153a68cd327092535891d7663811b8fb524a1f02cc4ca8258dddf337b56da14799b53cbb42608a836fc9ef7df56d67535346108c468fa9b991abb3370b

Download Submit
\Windows\SysWOW64\MSWINSCK.ocx

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit