9587e0ee5f7e453c167da4a74f9747d4ebccbe59469cbe122e54622d021b2001

Analysis

max time kernel
141s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Size

856KB
MD5

1bfae9f9628f0d220c718d7610581fe1
SHA1

58a2b957183ed0452eaaf2e08a17f932828868fe
SHA256

9587e0ee5f7e453c167da4a74f9747d4ebccbe59469cbe122e54622d021b2001
SHA512

15ca0c6872f9e4b1da8dc552b5795400ac87976ee579d8d6d65fb617c3e65a2142c9c498b4e400d8e3af2d17a11cc9788ab4ba937b0136ff9f365d7ee3e9183e
SSDEEP

12288:Itw6mXWiVeMM4hzcG7A/OPTi0GLkTUOaOkczmz8Cpkm0t4c0T5rGhY38QTS:nWiUMM4qGBf5an0g89dUVGhGW

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023528-14.dat	acprotect
behavioral2/files/0x0007000000023526-18.dat	acprotect
behavioral2/files/0x0007000000023529-26.dat	acprotect
behavioral2/files/0x00030000000006dd-37.dat	acprotect

Loads dropped DLL 10 IoCs

pid	Process
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3224-13-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral2/files/0x0007000000023526-18.dat	upx
behavioral2/memory/3224-23-0x0000000000E60000-0x0000000000E73000-memory.dmp	upx
behavioral2/files/0x0007000000023529-26.dat	upx
behavioral2/memory/3224-30-0x0000000002830000-0x000000000289D000-memory.dmp	upx
behavioral2/memory/3224-29-0x0000000002830000-0x000000000289D000-memory.dmp	upx
behavioral2/files/0x00030000000006dd-37.dat	upx
behavioral2/memory/3224-46-0x0000000003A60000-0x0000000003AAE000-memory.dmp	upx
behavioral2/memory/3224-102-0x0000000002830000-0x000000000289D000-memory.dmp	upx
behavioral2/memory/3224-99-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral2/memory/3224-103-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral2/memory/3224-116-0x0000000000400000-0x00000000005F6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kvn.dll	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tmpad.xml	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\QMDispatch.dll	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
File opened for modification	C:\Windows\QMDispatch.dll	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ = "QMFunction Class"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\ = "QMRoutine Class"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\Version = "1.0"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\ = "QMFunction Class"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\VersionIndependentProgID\ = "QMDispatch.QMRoutine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\VersionIndependentProgID\ = "QMDispatch.QMFunction"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMCore.QMEngine\ = "QMCore.QMEngine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMRoutine Class"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CurVer	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ProgID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMCore.QMEngine\CLSID\ = "{EBEB87A4-E151-4054-AB45-A6E094C5334B}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMCore.QMEngine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32\ = "C:\\Windows\\QMDISP~1.DLL"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CurVer	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ = "IQMFunction"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\Programmable	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\ = "QMDispatch 1.0 Type Library"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CurVer\ = "QMDispatch.QMFunction.1"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\VersionIndependentProgID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR\ = "C:\\Windows\\"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\ = "QMFunction Class"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\CLSID\ = "{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ = "QMCore.QMEngine"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMCore.QMEngine\CLSID	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\InprocServer32\ThreadingModel = "Apartment"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
3224	1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bfae9f9628f0d220c718d7610581fe1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSSCRIPT.OCX

Filesize
100KB

MD5
656524b4401f21e2929b78ef4c36db27

SHA1
d91ff837d6ced5f0442fd0812b6c1079fe417906

SHA256
d493f101ccd1d8804c0981f4fc630718b267d7155bdb575d6f619497956ea44e

SHA512
d28b17c924fb5f172944c055a85003575300305eddbbc4c89460777108c87154622b39515ee1f994d713d790fe5b74a69c835bd00d0affc5292fa0150617c34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinIo.dll

Filesize
25KB

MD5
d66abccb6300fc12310bda0006d37f7e

SHA1
e9b917d7b81cc3ce67e2ead4859f5d818618a194

SHA256
2b2070ad6c2a47ae618524112147480d255890dd573512e13ba31e306c109051

SHA512
ff9356f0f9bcc543e67bad7ce9487c117dfeae128d777e3325f5ccc7aea030e75e3dc7870e07bd5f0a0ab2ded5be962f5069edfe515fdb7444417996c3e7bdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfgdll.dll

Filesize
36KB

MD5
98e900c04b9ab84405b224af31b93b65

SHA1
3a7b1dfd8c5d57cce94fdf8f8b4dac3470833017

SHA256
a2e88bff39817950b89293b10c7775d113a07402625e21c16a23ed47d088a1c8

SHA512
a9627d29787cd57f878bab9f4883475378105232ff42a0ba653969413c15e68b5ab2b4ceb02918dc8e243822e5273825b2766d58ca4dbe90c3d252c2d96343a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cooper.dll

Filesize
90KB

MD5
54efdf4ad6c4813c490078f8cb9d4640

SHA1
91d9109fbda221c666ec918ac3d7458bad8722b4

SHA256
7adcc11e15d9c038b53c74df33a8cdeaa31b4f2c9f9d7586bb0dc3337aa579fd

SHA512
9c7ba4888e29349ee7362e398f375fb2514436339c9b7358debe793cf9fb77db07ad87614a50b052d9eddf25c1118f57111de2bddffcd4bbe5310f01a8340b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\helper.dll

Filesize
17KB

MD5
de2f747a18ec822c81133084bcdefa86

SHA1
2fada4c6673a8f323c0cc57b2eb6ee6b3f5f9a29

SHA256
fbd5cd683e31d1cc8db58bbcd449e582cdd02bb69cb4585cf4deec233afe2d43

SHA512
0f4ff2a85bcd207adfadd1b1f939a645fbec60f4546938be0e17477c71411599753d4325c5d28f3e7b5fb9b0adeb20c0988c654dcd788f348b3c1231d0933e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\macroinfo.dat

Filesize
228B

MD5
06ed67b844462ba9a794309f99c022e9

SHA1
8d4097e9f340df2ced43a2a622c944420c164a79

SHA256
740d45a5a350942e59313a43cca6931468d6a361c9e4b1b390d217513686c99a

SHA512
ac3c971dbd2736e94a1be03d7f6401c4ae13b84d84e14f504d26ba8572644f3ae6a3c9dcc7c3566ca82e511ac13c9a72e23dda3c10d71d06de74693eb871861e

Download Submit
C:\Windows\QMDispatch.dll

Filesize
107KB

MD5
8e6e1a1d29ddc38e120afc606ce1d845

SHA1
5d9b8d4ccc4f74fd501a2ca377d858ee93252a7a

SHA256
1e8e62d6ea8233a6351f9e0a82e95fb0245281b7d32a2c788261d9feb08e71ac

SHA512
b5c06636ab42b1925f3bcf2a872c3cb0ab7876a0eb88ff6009e3eeea4d3c7f3007d8eef6ca2f5e4b769bf73dde69dca564978cd49f98b1f9bcba49e9258f4f31

Download Submit
memory/3224-23-0x0000000000E60000-0x0000000000E73000-memory.dmp

Filesize
76KB

Download
memory/3224-29-0x0000000002830000-0x000000000289D000-memory.dmp

Filesize
436KB

Download
memory/3224-30-0x0000000002830000-0x000000000289D000-memory.dmp

Filesize
436KB

Download
memory/3224-46-0x0000000003A60000-0x0000000003AAE000-memory.dmp

Filesize
312KB

Download
memory/3224-13-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3224-58-0x0000000003A60000-0x0000000003A69000-memory.dmp

Filesize
36KB

Download
memory/3224-17-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/3224-102-0x0000000002830000-0x000000000289D000-memory.dmp

Filesize
436KB

Download
memory/3224-99-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3224-103-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/3224-115-0x0000000003A60000-0x0000000003AAE000-memory.dmp

Filesize
312KB

Download
memory/3224-116-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download