984406c0310d6af570a57ab8fe1f76f073baa5879c1431859d6006a8c3e8c91b

Analysis

max time kernel
140s
max time network
139s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Size

303KB
MD5

20c39cab80fac40a7db9a24f31ae76a4
SHA1

b07b022544b17e9f619867d2319a0500575a179b
SHA256

984406c0310d6af570a57ab8fe1f76f073baa5879c1431859d6006a8c3e8c91b
SHA512

4d22803c17919f506403779672f246996b01eff122ced3d83bcb134e0e0b2c7ed0eaa53fa4331702a7ab497568b70b0d75d80833c5aeae8bb3ffe97e68e66214
SSDEEP

6144:gYoYkXCmIJghOVs+sF60T0trwGPtylLuSAcY1swGY6mLxwUxaNHmbRJ0eJmMlQvL:fEP1p+sF6e0J1jjcY1swOmGOaVmbRuu4

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	FP_AX_CAB_INSTALLER64.exe

Loads dropped DLL 1 IoCs

pid	Process
1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1636-556-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1636-997-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
File opened for modification	C:\Windows\Downloaded Program Files\SET28B6.tmp	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
File created	C:\Windows\Downloaded Program Files\SET28B6.tmp	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426135420"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000005fca8181726ed408857d49d71bce5be62f082c4bc864256a285ab46da64014ee000000000e800000000200002000000032c1e30ece5ead4c26816597477b7d55b580e919d41a405dc0d279db5f9cfd4c20000000c8ea59596d4e859f161d74220092933d554e45aaa761102b43183deceabc0afe40000000f0219038bd89d11d98590e6e61f2babe3a3e404ddcaff42422ea4e43b2344f21ea7ae2d7e31e9b7e3e80f24a19aaf6784707183c06b408c22972fd486f859d8f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9061E891-38E3-11EF-BB1B-4658C477BD5D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e002ad67f0ccda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000003d041e347ce4bcfdbfc320794b9b3d8d0dd0bae06a7f686b3a38f39c45e4b3b9000000000e8000000002000020000000ad02f69d708f75347c02ebc09a1be58e6d7ff69ee02646df7f070eb9a2fd326990000000f37fedd08702d5444c9587466f646881be119eb03519608619afabe86736e220363e0e09b0e7a1e3afd52c2d9a5bbd78814357af2c459647357debae6ec7088299ae0935c49af3809d2b092386a17a12d9ddb796645fc4c43d391ec3f07be794ce9f657fe6e4db858910e4062c6754b38720fb979e82fcf68f1e27537343fa661c1ea44381f33524961a55c7994c20a6400000009927a64de0dc494a16168723451225f0ecf0c8a16d3dc00868c9662b9d59a14f68f9cf9859a4c1acd80c586bc25f703dc3fe191ad7bc580f840263152d6149ae	iexplore.exe

Modifies registry class 20 IoCs

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	FP_AX_CAB_INSTALLER64.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Token: SeRestorePrivilege	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
2716	iexplore.exe
2716	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 1636 wrote to memory of 2420	1636	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe	29
PID 2420 wrote to memory of 2716	2420	FP_AX_CAB_INSTALLER64.exe	30
PID 2420 wrote to memory of 2716	2420	FP_AX_CAB_INSTALLER64.exe	30
PID 2420 wrote to memory of 2716	2420	FP_AX_CAB_INSTALLER64.exe	30
PID 2420 wrote to memory of 2716	2420	FP_AX_CAB_INSTALLER64.exe	30
PID 2716 wrote to memory of 2120	2716	iexplore.exe	31
PID 2716 wrote to memory of 2120	2716	iexplore.exe	31
PID 2716 wrote to memory of 2120	2716	iexplore.exe	31
PID 2716 wrote to memory of 2120	2716	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
  C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
89867e7a4659da8b02bf1e90a15f7bea

SHA1
eacdf84284d7ea75bf9627037c422a122fb24707

SHA256
e97df6a8c8c0430c5dd474d46364dc71381c4e4abbeab248ae42c85329c5646b

SHA512
ae37114b022919e829b2af646cdadd6b55f921b63587bc1de65f0622a542a5988d83c3d456e150b096e256d9e2b2f6810d06b3c9a7ed35be38c976a5d8d9ccbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a58167944eed48f3efbefc7b7e2bce4

SHA1
195fdc53417bf22778e302cb93b05709663f8cba

SHA256
7c3030917972c7b412d5263514c8179c1575a647ba0ac96bfe59b168dc3ac1f3

SHA512
713f1515e96c219623b010e4c1ab9b2dda257be48170baa04dae5f32be133a4b989e2de4132964d067d63b401b019cb5b2d624a2d5f2b3d659fd6572453cb0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37ecc4c3a024b946f50b50708969bda9

SHA1
905605c467f89691396f6574f3d78d464fb36f13

SHA256
6714babff921d355d6ee023a1d720e61f7db225ee140cdaac599bdfd421c62fd

SHA512
f465e4ab266cdbaf2b25ab0a5e3138a55145c7cebbc793d7adf6410a2d0264c9c84713023955d3e8152c3ffa14952ebc6359d4fe8ed38b955a051cb72f75be51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5e8bcc8c818bff62a96262895100333

SHA1
ae208c0b30c3c64027f8416a1d4d4cb4f177b133

SHA256
dc3105c7fe9e8ee3d601b8bb0481b90ed5958f4953ae3834ea94e747e00de818

SHA512
dce4d0998b9b40dbc5f1d301b25298fe305b0251a5b4a82319467669e33562a637d959693a1c2d727aa42b0f5072a85431a03e205a282beda635bf846bd57d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6e6b539a05aa873cf86acde269688a8

SHA1
f45db0b0d40f3d1597a1d49f698bbc311836ac91

SHA256
707aedd42d16baa2238dc273f925e8d1969e6a27b53f8babd0f360bd4e891339

SHA512
f1739d8eadf22e81927dc84ca94add1fce6172d5b2384590f6c8d289145ba169463f8e3f8a474c0a931a0533591d097d5629a7aecd864f2fa0138b956f22b281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f0d478d5a600f5a5b9ded65c05b12ee

SHA1
2f7223097a68668f5dc1081b04e4b43c58a8c612

SHA256
a42a5904b272613e1039b4e3b9fc01de77a0eb1300cd50207e38f775a4a2dab7

SHA512
4cf31db5ec154efae41dbdb4d2708c78fab49f2f5909fcc6af220d5c955d4b9d0c6f8b1c3c619f1bd86c7237d065cf3452efa7d046adad332368f34fbc7692ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a2ae5e585abd3fb1db58cdb0e806599

SHA1
56fcbd30c6c84e759b404e94b192fd3e1ee430ff

SHA256
462c627d2d4af2d28424bce5f4222da4baae8978bf488f8337ec72fdf2d6500f

SHA512
ed5e14da1c0931185ddad74ecaf0f8dd687d5da81e57bc5b30fbcb37d3d5584edfecb9afa4b71dcb436e5d209c175aed4edeb816563cb77ee5de898bf9eae4a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d126ab438c0ba93f618407c72449f80

SHA1
e75e4bdb9bdf7d56e78c3f724de944678f9f1cc8

SHA256
24176d2afa9a81896a09afc32d356120c1c5d66c2e5ec2c3fab5d30e1e46aacc

SHA512
13dca594204c7e9631198d7d57045794e5b8300a5ddd5f60cb5e4f9877414aa5f7f2eab71addb34d3ab6337dca8802192714b716f1d6ad86715a86d19270d689

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f045d01cd9bd71edaf74b435aec218c

SHA1
c980b3c09f8febd63836f59deb7dbccab61828b0

SHA256
e58735c9fc1cd8f0244ce75317711047c0a9799580d68b9d890b3e7a7840dbbc

SHA512
bc3939cd916b32035d8f3e2d234468ecf44aaa29973bd6096b5b9bba493dde8435b61b997bb1747f25d4be64709baa444675d9e6d93916ebde79031292646032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97137fff7150e964d999c6278024e958

SHA1
50007e9a2f1d3260ed3fe555b5fe075fb60aac6d

SHA256
a4a3a437c133ed500ee269987ab013fa5e387926b88c93973f28c469069a187f

SHA512
390c6d40cdeeca7e16c121a2f1b3e7de95057ba998afa549ad18f47048fe2ed16f0588e6c5faa8426aa118171339c747cdb2f79e5f2bbd363646c002ba13aedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b154416c3edc0b7924a0b8d41acac6a1

SHA1
a3f406a6fbd8159a4f66a0f135a922782f2bb8a7

SHA256
74dec9fdabea23cc795392c8f35f785fa2e193f69e3685ad92f43bdb39a41b31

SHA512
05f451305454c7109a39b6341bf00b315becdddf623b18877a15acc9ee425dc8c6f38bbab4ef67a394fdbb9bed239f1f1e22635f5f5f1b5fd60d51484966c23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f9eaa936f9ef4cf86888e40161a8d4

SHA1
98a50bd8a10dd28193bd6800c4eaf55b35f1bd7e

SHA256
bd6f8c8b3ea0b851f4536a35c23e7069f57e0e5359047179486e086f2c93971a

SHA512
c4e55acf79f6147de2da19fbf770bc62d09be701ef4e26e490d625864d98c42ea8a792c8321a92263d5834144e22922007dd96d960efb0ef143846d492557a69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8ea0bdaff1907d1533e00029b990b18d

SHA1
0fe6d8caee4ccc153f1346a01355bede0de60902

SHA256
d377aa5c67cfd4dfe0b61adba20cc2521872e5da97f92b9247b4b4f8526d9403

SHA512
5b8614c9742e6b4a8b6590f10487e45c37002606691a4fa1a3c2f75f16b2e589d069b2f328d18559a1d528217d5deb4251554fb9e0e46170c56372ac4bae0b48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b3c000e56b9fe326b64838c969d8740f

SHA1
6c2af0c51b1c0d464f263b245124d129252f980f

SHA256
bf6b9d0b11e18ae6a8b43afcc2124bf751e5a8f67e5f3ba69b7d5ca2f2a85d11

SHA512
478b406effaa5faae0e6f6ac6ad675d2e51d2734c56d1e43a5774ad278448ef7968ffc2a15f299d879bf81b5f0de3968bff16d29d7ffd488f7019fad0f435c4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E4C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1ECC.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A3D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
memory/1636-997-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1636-980-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1636-556-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1636-0-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1636-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.eBookNSHandler	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ = "eBookNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.eBookNSHandler\Clsid	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.eBookNSHandler\Clsid\ = "{9C453F21-396D-11D5-9734-70E252C10127}"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ = "ExternalNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.ExternalNSHandler\ = "ExternalNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.ExternalNSHandler\Clsid	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ProgID	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\ProgID\ = "20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.ExternalNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\LocalServer32	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ProgID	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\ProgID\ = "20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.eBookNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D173E10A-001D-4318-9822-8C97A8418482}\LocalServer32	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.ExternalNSHandler	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.ExternalNSHandler\Clsid\ = "{D173E10A-001D-4318-9822-8C97A8418482}"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9C453F21-396D-11D5-9734-70E252C10127}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.eBookNSHandler\ = "eBookNSHandler"	20c39cab80fac40a7db9a24f31ae76a4_JaffaCakes118.exe